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ABSTRACT 


The  problems  and  implications  of  privacy  in  today's  computer 
oriented  society  are  many  and  diverse.  The  right  to  privacy  is  not 
a  formal  right  guaranteed  by  the  Bill  of  Rights.  ITow  are  we  to  insure 
that  privacy  will  not  become  a  non-existant  commodity?  Will  the 
creation  of  large  data  banks  containing  personal  inf  -rmation  result 
in  "automated  blackmail"?  Will  the  end  result  be  a  police  type 
dossier  on  every  citizen  in  the  country? 

Will  the  day  come  when  we  will  evolve  into  "cashless" 
society,  where  all  financial  transactions  are  recorded  by  a  computer? 
How  can  we  accrue  the  benefits  that  a  large  data  bank  can  bring  about 
without  the  fear  that  "  Big  Brother"  is  watching  us . 

Some  of  the  possible  solutions  both  legal  and  technical  are 
discussed  along  with  some  current  schemes  being  employed  to  insure 
the  privacy  and  security  of  information.  Additionally,  some  proposals 
are  discussed  which  might  be  used  to  guarantee  file  integrity.  The 
-application  of  cryptography  to  the  security  problem  is  also  discussed. 
Classification  of  the  various  levels  of  protection  is  made  with  sug¬ 
gested  environments  in  which  they  might  be  applicable.  A  suggestion 
is  made  as  to  how  overall  system  performance  might  be  monitored  as 
a  result  of  implementing  high  level  security  and  auditing  routines. 
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PART  I 


INTRODUCTION 

1.1  The  Concept  of  Privacy  in  Today' s  Society: 

The  concept  of  privacy  is  a  sadly  neglected  value  in  our  society. 

It  was  ill  defined  and  rarely  discussed  until  modem  times;  and  while  not 
a  new  concept  it  is  often  treated  as  such  by  commentators  and  social 
scientists.  Our  belief  in  privacy  has  developed  from  a  tradition  of 
limiting  the  surveillance  power  of  authorities  over  most  personal  and  group 
activities.  Alan  F.  Westln  D3  defines  privacy  as  the  claim  of  individuals, 
groups,  or  institutions  to  determine  for  themselves  when.  how.  and  to  what 
extent  information  about  them  is  to  be  communicated  to  others.  Every 
person  at  or.e  time  or  another  desires  to  temporarily  withdraw  from  society 
whether  physically  or  psychologically. 

Specialised  disciplines  such  as  law.  psychology,  or  political 
science  undoubtedly  have  different  interpretations  as  to  what  the  essential 
concepts  of  the  diminishing  concept  should  be.  Professor  Alan  P.  Wes  tin  in 
analysing  privacy  in  an  individual' s  life  recognises  four  significant  functions 
that  privacy  performs:  (1)  Personal  autonomy  (2)  emotional  release,  (3)  self 
evaluation;  and  (4)  protected  communication.  Privacy  is  vital  to  an  indivi¬ 
dual*  s  way  of  life  and  is  essential  to  his  psychological  well  beinv  and  there¬ 
fore  a  basic  human  right. 
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Despite  the  importance  of  privacy,  the  law  has  been  reluctant  to  grant 
privacy  the  same  status  as  other  protected  rights  such  as  freedom  of 
speech,  freedom  of  the  press,  and  etc.  This  is  no  doubt  due  to  the 
fact  that  in  any  political  regime  certain  patterns  of  privacy  and  sur¬ 
veillance  are  necessary  for  the  survival  of  the  social  order.  [15]  This 
becomes  very  clear  when  one  examines  the  concept  of  privacy  in  a 

j 

modern  totalitarian  state  such  as  communism  or  facism  and  compares  it 
to  the  concept  of  privacy  in  a  democratic  or  republican  government.  A 
totalitarian  state  requires  absolute  secrecy  for  itself,  but  maximum 
disclosure  for  its  subjects  in  order  to  exercise  control.  In  a  democracy 
privacy  is  not  required  to  be  an  absolute  right.  Since  democracy  re- 
rulres  particpation  by  its  members  at  least  some  of  the  time,  non¬ 
participation  or  some  private  acts  can  endanger  the  whole  society. 
Unreasonable  privacy  may  threaten  internal  security  unless  lines  are 
drawn.  The  problem  of  effective  police  controls  over  crime  result  in 

a  conflict  of  the  rights  of  the  society  versus  the  individual.  Thus  a 

a 

democratic  state  is  always  searching  for  checks  and  glances  of  private 
ve'  js  public  interests  while  in  a  totalitarian  state  private  Interests  are 
ursurped  as  privacy  is  attacked  as  "immoral1',  "antisocial”  and  "part  of 
the  cult  of  individualism” . 

As  a  result  of  this  reluctance  to  grant  privacy  a  special  status, 
no  United  States  or  English  court  even  ruled  on  the  issue  of  privacy  until 
after  1890.  Some  progress  has  been  made  In  recognition  of  privacy's 
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importance  as  twenty  states  and  the  District  of  Columbia  now  recognize 
privacy  as  cause  for  a  civil  suit. 

The  present  status  of  privacy  as  a  right  is  unclear.  The 
Supreme  Court  has  recognized  the  duty  to  protect  against  invasions  into 
"constitutionally  protected  areas"  and  has  refused  to  permit  evidence 
seized  in  contravention  of  the  Constitution  but,  has  so  far  refused  to 
incorporate  a  right  of  privacy  into  a  Bill  of  Rights. 

1.2  Why  are  People  Worried?  The  Data  Explosion. 

The  age  of  computers  has  given  rise  to  an  enormous  capability 
to  collect,  collate,  classify  and  process  data  about  anything  and  every¬ 
body.  While  many  of  the  records  available  are  not  new,  such  as  birth 
certificates,  security  clearances  ,  tax  roles,  employment  records,  and 
credit  records,  they  have  taken  on  a  new  and  menacing  character.  Con¬ 
temporary  American  society  has  always  been  organized  and  record  conscious, 
and  with  generally  beneficial  results.  However,  with  the  computer,  man 
has  created  the  capability  to  collect,  examine  and  analyze  records  concerning 
an  individual  in  seconds  that  would  previously  have  taken  a  full  time  investi¬ 
gator  months  or  years  to  collect.  Thus  while  the  ability  to  collect  information 
is  not  new  the  computer  has  put  the  spotlight  on  millions  of  people  who  never 
would  have  attracted  anything  more  than  a  cursory  glance  by  a  private  or 
governmental  agency.  Nevertheless,  there  are  potential  advantages  to  the 
use  of  the  computerized  data  bank.  Thus  the  desirability  and  availability  of 
the  computer  utility  and  data  bank  has  started  people  to  thinking  about  the 
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implications  that  readily  available  information  on  large  section  of  the 
population  might  have.  Computer  utilities  are  here  with  a  large  number 
of  on-line  time-sharing  systems  currently  operating.  The  large  utilities 
make  the  advent  of  a  data  bank  possible  and  practical. 

The  public  data  bank  is  thought  to  be  inevitable,  just  as  the 
railroad,  power,  and  telephone  utilities  were.  The  reasons  are  that  it 
is  less  expensive  to  pool  your  resources  and  share  data  rather  than 
generate  and  store  your  own  records. 

Paul  Baran  lists  some  more  easily  followed  examples  on  the 
desirability  of  keeping  so  many  records,  among  these  are: 

a.  Tax  auditors  might  want  to  check  records  of  associates 
of  a  man  under  scrutiny. 

b.  A  company  may  want  to  check  its  personnel  records 
before  making  a  reference. 

c.  Veterans  Administration  may  want  to  examine  a  man's 
military  record  to  validate  a  claimed  service 
connected  disability. 

d.  A  lawyer  may  wish  to  search  Jail  records,  arrest 
records,  and  credit  records  of  all  witnesses  for  the 
plaintiff. 

e.  Professional  licensing  boo.ds  may  want  .information 
concerning  a  man's  character  or  qualifications  . 


f.  Military  may  check  a  man's  background  by  perhaps 
checking  what  library  books  he  checks  out  to 
determine  his  suitability  for  a  sensitive  position. 

g.  Medical  data  banks  could  enable  a  transient  to  get 

improved  medical  aid  by  allowing  the  physician 
access  to  his  medical  history. 

However,  there  exist  no  guidilnes  for  the  handling  and  dissemi¬ 
nation  of  private  information.  Yet  the  clamor  is  to  do  it  now.  There  are 
obvious  advantages  to  pooling  information  as  instantaneously  available 
data  can  improve  the  accuracy  and  speed  of  vital  policy  decisions.  Such 
decisions  are  more  likely  to  be  accural  and  better  correlated  as  they  are 
not  subject  to  individual  distortions.  Some  of  the  factors  to  consider 
are: 

a.  Important  historical  records  are  sometimes  lost 
because  of  the  absence  of  a  consistent  policy 
and  procedure  for  establishing  and  maintaining 
archives . 

b.  The  absence  of  appropriate  standards  and  procedures 
for  file  maintenance  and  documentation  leads  to  low 
quality  files  that  contain  many  technical  limitiations 


in  a  statistical  usage. 
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c.  Many  useful  records  are  produced  as  a  by  product 

of  administrative  or  regulatory  procedures  by  agencies 
that  are  not  equipped  to  perform  a  general  purpose 
statistical  function. 

d.  No  adequate  reference  exists  that  would  allow  users 
to  determine  easily  whether  or  not  records  have  the 
characteristics  of  quality  and  compatibility  that  are 
appropriate  to  their  analytical  requirements . 

e.  Procedures  for  collecting,  coding  and  tabulating 
data  that  were  appropriate  when  developed  now 
lead  to  some  incompatibility  in  record  association 

and  usage  required  by  current  problems  and  the  attendant 
solutions  made  possible  by  computer  techniques . 

f.  There  are  serious  gaps  in  existing  data  records  that 
stand  in  the  way  of  bringing  together  records  of 
greatest  relevance  for  today's  problems. 

g.  The  need  to  bypass  problems  of  record  incompatibility 
in  developing  statistics  appropriate  for  policy  analysis 
places  severe  strains  upon  regulations  restricting  the 
disclosure  of  information  about  individuals.  However, 
technical  possibilities  for  using  the  computer  to  satisfy 
these  statistical  requirements  without  in  any  way  violating 
personal  privacy  have  not  generally  been  developed  and 
made  available  by  the  agencies . 


It  is  obvious  that  input  data  would  have  to  be  validated  before  it  is 
entered  into  the  system.  It  is  also  true  that  unless  legal  precautions  are 
taken  an  individual  might  not  be  aware  of  any  derogatory  information  that  is 
put  into  his  dossier.  It  also  is  possible  that  false  and  slanderous  data 
could  be  inputted  without  the  individual's  knowledge.  Thus  it  is  obvious 
that  the  individual  must  be  part  of  any  validation  process. 

To  most  people  a  computer  printout  looks  quite  official  and 
irrefutable,  yet  computer  printouts  can  be  faked.  Thus  it  is  possible 
that  a  person's  reputation  could  be  jeopardized  by  a  faked  printout.  The 
magnitude  of  information  that  it  is  technically  feasible  to  assemble  is 
enormous.  Laser  technology  will  probably  allow  a  20  page  dossier  to  be 
kept  on  200  million  people  on  a  single  plastic  tape  reel.  Under  such 
conditions  It  might  be  easier  to  Keep  data  rather  than  destroy  it,  thus 
bad  or  derogatory  data  might  not  get  destroyed  if  it  were  at  some  point 
repudiated  by  authorities,  invalidated,  and  ordered  removed  from  all 
records.  Thus  according  to  Baran  rP  we  have  a  balance  problem  that 
must  be  resolved  in  any  implementation  of  the  data  bank. 

1 . 3  Legal  and  Administrative  Safeguards: 

Many  people  are  worried  about  the  possibility  of  such  dossiers 
being  kept  in  such  a  data  bank  and  reacting  strongly  against  the 
proposed  Federal  data  center.  Overreaction  might  prevent  the  system 
from  getting  off  the  ground.  Without  public  trust  the  data  banks  might 
be  fed  false  data  by  a  suspicious  public  thereby  rendering  them  useless. 
Therefore  it  is  in  everyone's  interest  that  safeguards  be  built  into  any 
system  and  most  importantly  that  they  work. 


The  Federal  government  is  more  aware  of  the  problem  than  most 
of  the  states  with  the  possible  exception  of  California  which  has  an 
intergovernmental  agency  that  solicits  opinions  on  the  problem.  The 
big  problem  comes  not  from  the  machines  however,  but  from  men.  The 
motives  and  ambitions  of  political  executives  and  managers  and  careless 
technicians  might  result  in  the  degradation  of  an  individual' s  right  to 
privacy  and  dignity.  Points  to  consider  are: 

a.  The  need  to  study  the  problem  while  there  is 
still  time  and  urge  the  adoption  of  an  industry 
code  for  those  who  design  and  operate  the  computer 
processes. 

b.  If  self  regulation  is  not  imposed,  government 
regulation  will  result  in  the  computer  becoming 
a  villain  instead  of  a  friend. 

c.  The  Washington  D.  C.  chapter  of  the  Association  of 
Computing  Machinery  (ACM)  has  gone  on  record  as 
opposing  a  data  bank  until  it  can  be  demonstrated 
that  a  safe  system  can  be  economically  built. 

(This  is  thought  to  be  a  minority  view  within  the 
chapter) . 

d.  The  right  to  privacy  is  not  protected  by  the 
Constitution  and  is  subject  to  interpretation  of 
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local  courts  and  the  legislature  which  makes 
it  a  very  inconsistently  defined  concept. 

With  these  problem  in  mind  John  McCarthy  suggested  a  computer 
bill  of  rights.  Some  of  the  proposed  rights  were: 

1.  The  rules  governing  access  to  files  are  definite 
and  well  publicized,  and  the  programs  that  will 
enforce  these  rules  are  open  to  any  interested 
party;  including  for  example  the  ACLU . 

2.  An  individual  has  the  right  to  read  hib  own  files, 
to  challenge  certain  kinds  of  entries  in  his  file 
and  to  impose  certain  restrictions  on  access  to 
his  file . 

3.  Every  time  someone  consults  an  individual*  s  file 
the  evert  is  recorded,  together  with  the  authori¬ 
zation  fa  the  access. 

4.  If  an  organization  or  an  individual  obtains  access 
to  certain  information  in  a  file  by  deceit,  this 

is  a  crime  and  a  civil  wrong.  The  injured  party 
may  sue  for  invasion  of  privacy  and  be  awarded 
damages. 

Yet  the  discussion  goes  on,  for  in  1967  the  U.S.  proposed  a 
Rights  to  Privacy  Act  banning  wiretapping  and  electronic  eavesdropping  but,  in 
1968  the  Safe  Streets  and  Crime  Control  Bill  granted  authority  for  wiretapping 
and  eavesdropping  even  without  a  court  order  for  a  limited  time.  Even  if  the 
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the  government  were  to  pass  a  law  protecting  government  files,  state 
and  private  files  would  still  be  a  problem.  Medical  records  are  an 
especially  touchy  area.  One  state  (California)  has  recognized  this 
problem  and  has  declared  state  files  as  public  records. 

1 .4  Security  and  Privacy.  Some  Differences; 

The  idea  of  a  right  to  privacy  is  closely  tied  with  the  traditional 
concept  of  information  security  but,  there  are  important  differences.  A 
basic  problem  in  assuring  privacy  is  security.  Secuiity  is  the  act  of 
preventing  unauthorized  access  and  snooping  of  sensitive  information. 

This  Implies  the  necessity  of  adequate  safeguards  built  into  management, 
and  hardware/software  aspects  of  the  system.  It  would  appear  that  whereas 
privacy  is  a  social  issue,  security  is  a  technical  and  management  problem. 
As  indicated  previously,  privacy  is  related  to  a  person's  personal  history 
and  confidences.  In  the  realm  of  national  and  international  politics, 
security  would  imply  a  linle  to  defense  information.  This  has  led  to  the 
creation  of  three  security  classifications;  Confidential,  Secret,  and  Top 
Secret.  As  far  as  information  vital  to  national  defense  is  concerned  once 
a  classification  for  a  piece  of  information  is  picked,  a  standard  set  of 
rules  and  procedures  are  outlined  for  protection,  aocess,  transmitting, 
and  modification  of  classification  or  oontent. 

Within  the  classifications  of  Confidential,  Secret,  and  Top  Secret 
there  are  various  levels  of  authority.  Security  precautions  are  strengthened 
with  the  "need  to  know-  doctrine  which  states  that  having  the  necessary 
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clearance  or  level  does  not  automatically  grant  one  authority  to  access 
information  if  that  information  is  not  necessary  to  the  success  of  the 
objective. 

Unfortunately,  no  such  standards  exist  within  the  privacy  sphere, 
although  larger  industrial  complexes  do  have  their  own  privacy  classifications 
which  attempt  to  protect  information  vital  to  their  economic  interests. 

Certainly  the  penetration  of  a  large  Industrial  complex  could  be  costly  to 
the  company  and  profitable  to  the  penetrator.  The  problem  of  industrial 
spying  and  espionage  is  a  continuing  crisis.  How  secure  are  the  lines 
of  communication  a  company  uses  ?  Could  a  company  borrow  a  chapter  from 
the  techniques  used  by  the  military  and  encode  their  inter- office  communications. 
If  the  international  data  banks  become  a  reality  it  certainly  will  be  important 
that  a  foreign  company  not  learn  the  company  secrets  of  a  domestic  company, 
thereby  causing  the  domestic  company  to  lose  its  ability  to  compete  in  an 
international  market. 

1,5  Possible  Threats  to  Information  Privacy: 

There  are  a  number  of  methods  that  can  be  used  to  intrude  on 
the  informati  m  stored  in  a  computer.  These  can  best  be  described  by 
separating  them  into  three  categories: 

1 .  Accidental — These  are  usually  the  result  of  user 

error  or  system  error.  The  information  acciden¬ 
tally  received  in  such  a  case  nevertheless 
compromises  the  file. 
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2.  Deliberate,  passive — This  includes  electro¬ 
magnetic  pickup,  and  of  course  wiretapping. 

3.  Deliberate,  active — This  includes  browsing, 
masquerading  as  another  user,  "between  lines" 
entry  while  user  is  inactive  but,  on  channel, 
and  "piggy  back"  entry  by  interception  and  trans¬ 
mitting  an  error  to  the  user.  Also,  core  dump¬ 
ing  to  get  residual  information  that  might 
possibly  of  importance.  This  would  be  the 
computer  age  equivalence  of  reading  a  typewriter 
ribbon. 

One  of  the  problems  with  any  sort  of  digital  communication  is  that 
many  people  are  lured  into  a  false  sense  of  security  because  the  information 
being  transmitted  is  in  digital  form.  However,  all  that  is  needed  to  success¬ 
fully  wiretap  is  a  tape  recorder  and  a  conversion  table  to  decode  the  digital 
patterns.  It  is  also  possible  >  compromise  a  file  by  imposing  unnecessaiy 
safeguards  on  a  piece  of  information  ami  thereby  possibly  preventing  vital  or 
complimentary  information  from  readhing  a  policy  making  board  whose  decision 
might  be  influenced  by  the  availability  of  certain  information.  Lastly,  but 
Important  is  the  integrity  of  the  personnel  who  operate  the  computation  utility 
such  as  operators,  engineers,  and  management.  It  has  even  been  suggested 
that  computer  scientists  and  programmers  be  licensed  as  a  way  of  insuring 
their  integrity.  The  problem,  with  this  idea  is  that  programmers  tend  to  be 
individualists  and  would  reject  this  an  unnecessary  regimentation. 


PART  II 


THE  FUNCTION  OF  THE  DATA  BANK 

2.1  Purpose  and  Scope  of  the  Data  Bank: 

Some  confusion  exists  as  to  just  what  a  data  bank  Is  and  what  its 
purpose  is.  Added  to  confusion  is  the  presence  of  the  computer  utility.  The 
data  bank  is  viewed  as  being  somewhat  different  from  a  computer  utility.  The 
utility  provides  computational  power,  business,  scientific  and  filing  service* 
while  the  primary  purpose  of  the  data  bank  is  the  safe  keeping  of  subscriber's 
files.  In  otherwords,  the  data  bank  is  an  autom  1  library,  which  may  or 
may  not  be  tied  in  with  a  computer  utility  or  a  user*  s  own  computer  system. 

In  the  case  of  a  library  it  is  relatively  simple  matter  to  keep  Improper 
or  sensitive  information  out  of  the  hands  of  unauthorized  personnel  by  denying 
them  physical  access  to  the  critical  storage  area.  In  a  data  bank  the  objectives 
are  similar  but,  the  problems  in  achieving  the  desired  end  are  greater.  The 
processing  and  storing  of  sensitive  information  and  preventing  it  from  falling 
into  the  wrong  hands  is  a  technological  problem  requiring  a  comprehensive 
examination.  Thus  a  decision  must  be  made  as  to  what  is  needed  in  the  way 
of  security.  Before  this  decision  can  be  made  an  examination  of  the  type  of 
infon.  ition  that  a  data  bank  will  be  required  to  handle  mu&t  be  made. 

2.2  Types  of  Information  Stored  In  a  Data  Baric 

While  the  possible  uses  and  the  scope  of  services  are  numerous 
it  is  possible  to  broadly  categorise  the  type  of  information  to  be  stored  in  a 

data  bank  Into  four  classes  as  follows: 
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1 .  Private  information  -  to  be  used  by  individuals 
and  families  in  an  emergency  (perhaps  medical 
information  to  be  relayed  to  a  physician  perform¬ 
ing  emergency  medical  aid  and  in  need  of  the 
patients  medical  history)  or  in  routine  personal 
business  (accounts  due,  income  tax  data,  bank 
accounts,  etc.).  The  information  is  generally 
not  to  be  shared  with  outside  parties. 

2 .  Private  information  to  be  used  and  shared  within  a 
group  such  as  confidential  company  data,  defense 
informat.  <n  or  intelligence  information  not  to  be 
released  to  anyone  outside  of  the  cognizant  group. 

3.  Private  information  shared  at  cost  to  subscribers; 
e.g. ,  computer  utilities  sharing  procedures  fora 
royalty.  Information  or  service  to  be  sold  to  the 
public  but,  stored  in  a  public  data  bank.  Public 
libraries  might  use  the  data  bank  as  one  phase  of 
user  services. 

4 .  Shared  public  information  available  to  everyone 
at  no  cost.  Census,  statistics,  stock  market 
quotes,  government  records  and  etc. 


2.3  Types  of  User/Subscriber/Clients/Partlclpants  of  a  Data  Bank 


Invariably  a  data  bank  will  attract  a  wide  range  of  users  whose 
intent  and  goals  vary.  The  types  of  participants  of  a  data  bank  are: 

a.  Individuals  or  groups  who  permit  information  about 
themselves  to  be  stored  for  public  as  well  as  individual 

good.  Thus  an  individual  might  store  his  medical 
records  or  history  in  a  file  to  make  it  available  in 
an  emergency.  Due  to  the  possibly  sensitive 
nature  of  this  data  the  individuals  or  groups  would 
probably  insist  on  suggesting  a  classification  and 
security  controls  over  this  information.  Certainly 
they  w^uld  wish  to  determine  who  and  under  what 
conditions  legitimate  parties  could  access  this  in¬ 
formation,  (Medical  data,  etc.). 

b.  Individuals  who  keep  information  for  safekeeping  and 
processing  exclusively  for  their  own  use.  Company 
policies,  trade  secrets,  bank  accounts,  statements 
of  loss  and  earnings  are  possible  examples.  The 
Department  of  Defense,  intelligence  agencies, 

National  Security  Council  and  others  would  want 
exclusive  and  absolute  rights  to  certain  data.  This 
of  course  presumes,  perhaps  unrealistically,  that  a 
data  bank  can  be  made  absolutely  secure. 
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c.  Individuals  who  keep  information  in  a  data  bank  for 
renting  and  royalty.  To  these  the  data  bank  serves 
as  a  secure  storage  facility  from  which  computer 
utilities  attached  to  the  data  bank  rent  these 
procedures  as  part  of  their  services  to  their  sub¬ 
scribers.  In  otherwords,  the  data  bank  serves 

as  a  storage  and  distribution  center  from  which  an 
accounting  of  the  type  and  amount  of  usage  of  his 
files  can  be  made  so  as  to  bill  the  utilities  attached 
to  the  data  bank  who  presumably  would  bill  their 
customers. 

d.  Individuals  whose  apparent  desire  is  to  steal  unauthorized 
information.  They  have  no  apparent  legitimate  use  of  the 
data  bank  in  mind  but.  operating  under  the  guise  of  a 
legitimate  subscriber  will  try  to  obtain  company  secrets 
or  private  information  by  covert  means.  Obviously, 
allowance  for  the  detection  of  this  class  of  user  must  be  made.. 

The  possibly  personal,  sensitive,  or  proprietary  nature  of  information 
makes  security  in  a  data  bank  mandatory.  Consequently,  operators  of  data  banks 
whether  public  or  private  will  be  under  pressure  to  guarantee  the  effectiveness 
of  security  procedures.  The  wide  acceptance  of  data  banks  will  most  cer¬ 
tainly  be  delayed  until  legislation  results  in  the  data  bank  being  liable  for 
damages  resulting  from  unauthorized  disclosure  of  a  subscribers1  file.  This 
is  a  very  cirtical  area,  if  regulations  are  too  strict  or  the  conditions  under 
which  damages  may  be  awarded  capricious  or  arbitrary  the  public  data  bank 
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may  never  be  an  effective  tool  for  society  due  to  unnecessary  harassment. 

On  the  other  hand  if  the  data  banks  are  misused  public  distrust  will  insure 
their  demise. 

2.4  Function  of  a  Secure  Data  Rank 

To  be  a  useful  tool  the  data  bank  must  have  a  certain  number  of 
capabilities  and/or  characteristics.  Several  of  these  functions  are 
possibly  unique  to  the  data  bank,  such  as  information  classification  and 
detection  and  information  validation.  In  a  computer  utility  there  are  usually 
no  attempts  made  to  insure  the  authenticity  of  information  inputted  to  the 
system.  The  validation  required,  is  the  distinction  between  the  data  bank  and  the 
computer  utility.  Management  plays  an  increasingly  important  role  in  the 
data  bank  operating  policy.  With  this  in  mind  some  of  the  functions  of  a 
secure  data  bank  would  be: 

1.  Information  classification  and  detection  -  When  information 
is  received,  it  must  be  analyzed  and  classified  according 
to  the  sensitivty  of  its  contents.  It  would  be  assumed 
here  that  what  constitutes  private  or  sensitive  information 
is  determined  by  the  policy  set  either  by  the  government  or 
the  data  bank.  The  principles  of  this  policy  would  be  used 
to  determine  the  private  nature  of  the  lnA.  ition  received. 

Based  on  the  nature  of  the  information,  a  security  classifi¬ 
cation  would  be  assigned. 


18 


2.  Receiving  validation  and  permission  to  use  the  information  - 
After  recognizing  that  the  received  information  is  sensitive 

the  data  bank  would  next  seek  the  validity  (the  truthfulness)  of  the 
the  information  from  the  individual  himself  as  well  as 
request  permission  to  use  the  information  for  private  and 
public  good.  This  process  allows  him  to  correct  any  mis¬ 
information  as  well  as  bestowing  upon  him  the  right  to  refuse 
the  use  of  the  information.  The  data  bank  should  permit  the 
individual  to  see  his  personal  information  anytime. 

3.  File  update  and  manipulation  functions-The  data  bank  must 
provide  for  basic  operations  permitting  the  updating  and 
changing  of  files  stored  in  the  system.  Retrieval  of  files 
and  the  storage  of  new  files  must  be  s  mple  and  efficient. 

4 •  Access  control  and  protection  of  information  -  A  data  bank 
must  also  have  the  capability  of  specifying  and  controlling 
access  of  information  during  transmission,  manipulation 
and  static  storage.  Additional  protection  can  be  obtained 
by  encryption  of  the  data  base. 

5.  Surveillance,  threat  monitoring  and  system  recording 

functions  -  Overall  system  security  can  be  considered  as 
part  of  a  general  purpose  surveillance  and  monitoring 
routine  where  all  major  components  of  the  system  are 
monitored  including  the  security  functions  such  as  threat 
monitoring,  access  control,  and  file  processing.  All  of  these 
functions  must  of  practical  necessity  operate  under  the 
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assumptions:  (1)  that  operators  of  the  system  are  trustworthy, 

(2)  system  personnel  have  some  knowledge  of  snooping  tech¬ 
niques,  (3)  cost  of  breaking  through  security  is  much  greater 
than  the  cost  of  the  information  stored  in  the  data  bank. 

A  parallel  but  independent  activity  will  be  that  of  surveillance  and 
threat  monitoring  function.  It  is  a  watch-dog  function  always  "looking"  at 
all  the  operations  taking  place  at  the  data  bank  and  recording  significant 
events . 

2.5  Representation  of  Data  Flow  in  a  Security  Oriented  Data  Bank 

The  data  bank  model  outlined  in  Figure  1  represents  the  basic 
structure  of  a  security  oriented  system.  A  remote  station  inputs  data  to  the 
central  data  bank  site  via  a  decoder/encoder  (D/E) .  The  D/E  serves  to 
protect  information  in  transit.  Information  received  at  the  central  site 
through  the  communications  modulator  demodulator  (modem)  may  be  left 
in  the  encoded  form  by  bypassing  the  decoder. 

A  security  profile  for  new  information  is  established  by  a  classifi¬ 
cation  phase  (Figure  3).  This  information  is  used  by  the  access  control  and 
management  routines  to  provide  necessary  safeguards  and  protection.  (Figure 
4)  After  identification  and  analysis,  the  access  control  and  management 
routines  are  used  to  authenticate,  to  monitor  accesses,  to  update  and  modify 
file  linkages,  to  create  capability  lists,  and  to  control  processes  permitted 
in  the  data  space.  In  some  cases  an  extremely  sensitive  file  may  be  stored 
in  the  encrypted  form.  The  file  processor  is  dedicated  having  only  the  ability 
to  assign  storage  space  and  to  insure  its  efficient  utilisation.  The  processor 
cannot  address  Itself  to  the  contents  of  any  file  and  merely  serves  a  retrieval 


and  storage  function. 


Model  of  a  Data  Bank, 

(a)  r^uipment  Configuration 
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Data  Flow.  -  Data  Transformation  in  a  Data  Bank 
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2.6  Information  Classification 

The  first  phase  of  data  bank  operation  from  a  security  point  of  view 
is  classification  of  information  to  be  stored  in  the  bank.  The  information 
will  be  either  of  a  sensitive  or  insensitive  nature.  Sensitive  material  will 
be  of  the  types  outlined  previously.  The  classification  phase  must  recognize 
and  validate  this  information  according  to  a  prescribed  policy.  Certain  classes 

i 

of  data  will  be  stored  for  long  periods  of  time  and  this  information  must 
receive  special  attention  to  insure  its  preservation.  This  data  will  be  of 
the  type  which  can  be  recovered  if  mutilated  or  lost*  such  as  bank  accounts  or 
personal  information.  Still  other  data,  such  as  archives  will  be  non-recoverable 
if  lost. 

2.7  Validation  Process 

The  goal  of  any  validation  process  is  to  insure  the  accuracy  of  infor¬ 
mation.  Validation  serves  to  protect  the  rights  of  the  Individual.  A  definite 
problem  exists  in  attempting  to  protect  the  individuals  rights  while  main¬ 
taining  the  usefulness  of  the  data  bank.  Census  and  medical  information 
require  special  validation  procedures.  Presumably,  once  verified  certain 
classes  of  information  (medical*  etc.)  may  be  accessed  by  a  participant 
at  any  later  time. 

2.8  Access  Control  and  Protection  of  Information 

The  meaning  of  access  in  this  context  is  the  display  of  files  stored 
within  this  system  so  as  to  permit  operations  like  read*  write*  or  updato. 

The  reasons  for  controlling  access  are  obvious*  no  cne  wishes  another  party 
to  initiate  activity  in  his  files  without  permission.  The  phases  of  access 


control  are: 


23 


Entry  & 
Access 


(1)  User  identification 

(2)  Analysis  of  User  Request 


(Access 

Control 

function) 


(3)  Granting  user  access  to  specific  files  with  specific 
constraints  on  his  activity 


Activity 

monitoring 

(Surveil¬ 

lance 

function) 


(4)  Watch  dogging  of  his  file  activity 


Exit 

(Access 

control 

function) 


(5)  User*  s  exit  from  the  system  -  terminates  surveillance 
activity  whenever  a  user  leaves  the  system. 


User  Identification 

The  most  elemental  form  of  access  control  is  identifying  the 
user  as  a  legitimate  subscriber  to  the  data  bank.  Some  way  is  needed  of 
Jetting  the  system  know  who  the  user  is.  This  is  the  objective  of  the  password. 
The  password  is  a  sequence  of  symbols  Introduced  by  tho  user  into  the  system 
to  be  used  later  by  the  system  in  recognising  the  user.  The  types  of  password 
schemes  that  are  prevalent  (9]  are: 

1.  Single  or  fixed  password  schemes 

2.  Changeable  passwords 

3.  Randomised  password.  The  next  password  is  a  function 
of  the  current  password. 

4.  Functional  passwords  which  categorise  the  user  regarding 
his  security  classifications. 

5.  Voice  recognition  scheme. 
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More  elaborate  schemes  may  be  desirable  since  the  integrity  of 
passwords  is  not  always  assured.  One  technique  to  improve  this  is  the 
use  of  one-time  passwords.  Lists  of  randomly  selected  passwords  would 
be  stored  in  the  computer  in  a  consecutive  manner  and  avllnble  to  the  user. 
After  signing  in,  the  user  takes  the  next  word  on  the  list  .transmits  it  and 
crosses  it  off,  the  processor  compares  it  with  its  own  list  and  permits  access 
if  they  agree  [9].  Lists  are  stored  internally  and  are  kept  in  a  secure  housing 
and  the  next  password  can  be  queued  by  a  key  lock.  Another  method  uses 
random  number  generators  to  accomplish  a  similar  end  by  compiling  a  list 
of  one  time  passwords. 

Another  possibil  ity  is  that  upon  logout  the  user  types  in  a  code  word 
that  he  makes  up  on  the  spot.  The  computer  then  requests  that  word  the 
next  time  the  user  logs  in. 

One  method  that  holds  promise  is  that  after  "signing  in"  the 
computer  supplies  the  user  with  a  pseudorandom  number.  The  user  performs 
some  unique  transformation,  preferably  a  simple  algebriac  one  and  sends  the 
answer  back  to  the  system.  The  system  then  performs  the  same  trans¬ 
formation  internally  and  compares  answers.  An  example  of  such  a  trans¬ 
formation  would  be:  R 

P(x)  *  ]T  odd  digits  of  x^*  ♦  hour  of  the  day 
l-l 

The  advantage  hare  is  that  a  snooper  may  intercept  the  argument  of  the  function 
or  answer  transmitted  to  the  computer,  but  he  doesn' t  know  the  nature  of  the 
transformation  so  the  data  is  useless. 
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The  Dial  Up  and  Call  Back  option  available  for  the  RUSH  System  T8] 
is  unique  in  that  whenever  a  sensitive  file  is  required  to  be  accessed,  the 
user's  identity  is  verified  by  calling  him  up  by  telephone  and  requesting  his 
password  to  the  file.  (The  user  can  then  modify  the  password  if  he  did  not 
authorize  the  access.) 

Some  passwords  may  oe  grouped  into  functional  classes  whereby 
each  functional  class  is  associated  with  a  given  security  profile.  Every 
system  has  many  commands  not  accessable  to  every  user.  Certain  pass¬ 
words  might  be  associated  with  a  restricted  subset  of  these  while  others 
encompass  a  greater  instruction  repretoire.  Additionally,  passwords  might 
refer  to  capability  lists, place  limits  on  time  of  interaction,  and  limit  the 
number  of  entries . 

Voice  recognition  schemes  are  relatively  new  to  this  application  but 
a  voice  pattern  might  be  used  as  a  password  or  cod*.  At  the  present  state 
of  the  art  a  voice  recognition  scheme  is  likely  to  be  expensive  and 
unreliable.  Until  more  reliable  techniques  are  available  it  should  be  used 
to  reenforce  a  more  conventional  system  rather  than  replace  it. 

The  primary  advantage  of  simple  passwords  is  their  convenience 
to  the  user  and  low  cost.  The  more  elaborate  changeable  password  schemes 
may  be  more  expensive,  but  they  are  more  secure.  The  primary  choice  will 
depend  upon  the  sensitivity  of  information  and  possible  threats.  If  the 
terminal  is  in  same  building  as  the  computer  then  a  simple  password  scheme 
may  be  adequate.  If  large  groups  share  a  common  terminal  more  elaborate 
password  schemes  may  be  needed. 
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Analysis  of  User  Request 

The  analysis  of  a  user' s  request  invokes  determining; 

1.  The  users  permitted 

2.  The  files  requested  by  the  user 

3.  Interrogating  a  file  owner' s  list  to  determine  whether 
the  owner  has  given  a  particular  user  permission  to 
acces_  his  files. 

4.  Determining  the  types  of  file  restrictions  required  by 

file  owners  on  their  subscribers.  These  restrictions  might  be: 

a.  Free  access  (no  restrictions) 

b.  Paid  for  access  priviledge  based  on  time  duration,  etc. 

c.  Constraints  on  the  use  of  the  file.  (See  section  on 
Protection  Measures) 

2.9  Implementing  Analysis  of  User  Request 

The  users  request  can  be  analyzed  by  setting  up  a  user  directory 


which  specifies  pertinent  restrictions.  Granting  access  to  files  with 
restrictions  involves  turning  on  surveillance  functions: 

USER  DIRECTORY 


Password 

User's 

User's  File 

Restrictions 

List  of  Users 

List  of  Users 

Name 

No. 

on  User's 

who  are 

who  have  per- 

Participa- 

authorized  to 

mitted  him  to 

tion 

use  his  files 

access  their 

and  constraints 

files  and 

! 

imposea 

constraints 

imposed 

2.10  Watch  Dogging  of  User* s  File  Activity 

Once  a  user  obtains  access  to  a  file  he  is  not  in  unlimited  control 
of  that  file.  He  is  informed  of  restrictions  imposed  upon  him  by  the  file's 
owner.  This  serves  to  prevent  the  user  from  wasting  his  time  attempting 
to  perform  an  operation  that  he  has  no  authority  to  perform.  Whenever 
restrictions  are  imposed  the  system  surveillance  functions  are  turned  on. 
These  functions  enforce  the  access  constraints  on  all  user's.  The  use  has 
not  escaped  the  surveillance  of  these  watch  dog  functions  even  though 
his  access  is  legitimate  .  These  functions  are  discussed  more  fully  later. 

2.11  User's  Exit  From  System 

During  the  periods  of  time  a  user  is  utilizing  the  system,  he  will 
inevitably  create  many  parallel  processes  such  as  arithmetic  subroutines 
filing  and  searching  routines  I/O  and  etc.  Only  after  all  user  created 
processes  have  been  completed  or  ceased  should  surveillance  functions 
be  terminated  for  that  particular  user.  Obviously  printing,  plotting,  billing 
of  user  and  activity  reports  may  continue  after  the  user  has  left  the  system. 


PART  III 


BASIC  PROTECTION  METHODS  -  DYNAMIC  PROTECTION 

3.1  Ine  nature  of  the  Protection 

The  type  of  protection  to  be  provided  depends  upon  the  activity 
in  progress.  The  types  of  information  activities  are: 

1.  Information  in  transit 

2.  Information  in  manipulation 

3.  Information  in  storage 

Information  in  all  cases  is  subject  to  equipment  and  media  failure. 
During  transmission  equipment  and  media  failure  problems  can  be  minimized 
by  redundancy  in  the  form  of  error  detection  and  correction  codes  .  Security 
(protection  from  snooping  can  be  provided  by  the  encryption  of  transmitted 
data.  Similarly  protection  during  manipulative  processes  can  be  effected  by 
redundant  arithmetic  coding  and  multiple  comparisons  of  arithmetic  processes. 
Security  can  be  provided  by  having  a  physically  secure  processing  environment 
or  perhaps  even  direct  manipulation  of  encrypted  data. 

3.2  Integrity  Management 

Control  and  security  of  the  computational  facility  itself  is  one  of  the 
most  obvious  portions  of  a  secure  system.  Yet,  it  is  the  most  overlooked  or 
perhaps  ignored  in  a  civilian  atmosphere  where  people  tend  to  take  for  granted 
any  intelligent  appearing  individual.  This  is  not  much  of  a  problem  at  a  small 
facility  as  each  worker  is  well  known.  However,  at  a  large  facility  it  is 
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relatively  easy  to  get  away  with  something  as  many  people  will  not  question 
your  presence  in  fear  of  irritating  a  supervisor  or  inspector  from  another 
department. 

Controls  can  be  placed  on  engineers  and  technicians  who  make 
modifications  or  repairs  to  hardware  to  insure  that  a  bugging  device  has  not 
been  planted.  Measures  can  be  taken  to  Insure  that  excessive  radiation  is 
not  being  transmitted  inadvertently.  Insuring  that  the  CRT  terminals  are 
secure  is  important  a$  a  lot  can  be  learned  from  them  by  a  trained  observer 
or  operator.  Another  problem  in  an  over  the  counter  facility  such  as  the  one 
used  at  the  University  of  Texas  is  that  computer  printouts  are  insecure  and 
it  is  a  trivial  matter  to  steal  a  computer  printout.  While  this  is  not  normally 
important  in  this  type  of  usage  it  nevertheless  could  be  a  problem.  Lastly, 
it  is  possible  for  some  operator  to  fool  the  system  by  some  operation  known 
only  to  him.  The  key  question  is  can  the  file  protection  schemes  be  voided 
by  some  circuitous  manner? 

Protection  of  information  in  storage  is  a  bit  more  involved .  Stored 
information  is  nevertheless  subject  to  the  same  media  and  equipment  failure 
problems.  The  possible  protection  techniques  against  system  or  device 
failures  are: 

(a)  Redundant  coding  of  stored  information 

(b)  Back-up  files  -  duplicate  files 

(c)  Storage  in  different  media  at  different 
locations . 
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Security  protection  of  stored  information  can  be  achieved  by: 

(a)  Control  of  access  to  files  and  media 

(b)  Encrypting  the  information  stored 

(c)  Miscellaneous  techniques  such  as  parity  schemes. 

(discussed  later) 

3.3  Protection  For  Security 

As  indicated  before  protection  for  security  can  be  provided  by  the 
following  functions:  (i)  user  entry  authorization  by  password  schemes(user 
identification)  (ii)  Access  control  restrictions  on  files  and  (iii)  Security 
protection  of  the  stored  information  by  encryption.  We  shall  next  consider 
access  control  protection  and  static  protection  of.  stored  information. 

3.4  Dynamic  Access  Protection 

This  is  primarily  proteption  during  accessing.  All  of  the  standard 
password  schemes  may  be  applied  in  this  phase.  Regardless  of  the  password 
scheme  used  the  essential  aspects  of  all  password  schemes  for  an  access 
into  the  files  is  the  determination  of; 

(1)  Who  wants  the  access 

(2)  What  does  he  want  (which  file) 

(3)  Whose  file  is  requested 

(4)  Has  the  owner  approved  the  access,  for  example: 

(a)  Type  of  access  permitted;  READ,  WRITE, 

EXECUTE  ONLY,  and  any  special  restrictions. 


Levels  of  Access 


The  simplest  type  of  access  is  the  single  level  access  where  only 
one  file  is  accessed  and  the  file  does  not  initiate  any  further  references  to 
other  files  as  a  result  of  being  called .  The  example  below  demonstrates 
this  simple  case 

Single  Access 

GJ  TD 


of  a  single  level  access.  Multiple  level  accesses  however,  may  Initiate 
calls  to  many  files  as  a  result  of  a  single  call.  In  the  example,  procedures 
and  data  of  file  1  call  file  2  which  inturn  call  on  file  3,  etc.  There  must  be 
some  retum  link  to  the  calling  file.  An  access  path  as  implied  in  the 


example  is  in  reality  an  address  pair  between  which  a  jump  is  authorized. 

A  gate  or  entry  point  becomes  an  address  to  which  jumps  are  permitted  from 
specified  sources  under  certain  processing  restrictions. 

In  organizing  a  system  it  becomes  apparent  that  there  is  over-head 
associated  with  maintaining  the  user  authorizations  of  the  sources  and  the 
destinations  of  many  different  possible  file  interactions.  This  information 
may  be  kept  either  by  the  operating  system  or  within  each  file.  If  it  is 
kept  at  the  system  level  the  cost  increases  rapidly  with  the  proliferation 
of  users.  Thus  costs  are  likely  to  be  distributed  over  all  users  rather  than 
those  who  require  complex  or  special  arrangements.  Yet,  if  the  system  is 


small  and  the  file  structure  is  not  too  complex,  distribution  of  access 
directories  by  embedding  them  within  each  file  may  reduce  the  system 
burden,  yet  a  centralized  file  access  authorization  procedure  could  be 
advantageous  from  the  viewpoint  of  speed  and  integrity. 

3.5  Access  Restriction  Specification 

The  purpose  of  access  restrictions  specifications  are  to  specify 
who  is  to  look/see  his  files  and  what  a  user  is  to  be  allowed  to  do.  The 
file  owner  specifies  the  user  names  or  file  names  of  those  who  can  access 
his  file.  In  the  course  of  building  a  usable  file  structure  two  types  of 
accessing  specifications  modes  can  be  encountered;  (1)  explicit  specifi¬ 
cation  and  (2)  the  implicit  specification.  In  an  explicit  specification,  a 
file  is  explicitly  accessed  by  its  name  etc. ,  and  requested  to  take  an 
action  or  manipulate  data.  Implicit  access  specification  results  when 
files  themselves  initiate  further  accesses  as  a  result  of  a  request.  Such 
a  situation  exists  when  a  user  requests  access  to  files  containing 
specific  procedures.  In  this  procedure  "vendors"  are  polled  for  the  loca¬ 
tion  of  the  information  and  if  a  particular  vendor  file  does  not  have  it,  it 
may  refer  the  request  to  other  files.  The  explicit  access  bypasses  the 
searching  procedure  for  the  sake  of  speed,  but,  results  in  a  complicated 
file  structure  while  the  implicit  access  slows  down  response  while 
simplifying  communications. 
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Explicit  Specification  Implicit  Specifications 
Example  of  an  Explicit  Access  Specification: 


Example  of  an  Implicit  Access  Specification: 


Assume  that 

Uj  wants  income  tax  procedure  file. 

U2  requests  for  file  but  does  not  have  it. 

U3  requests  U2  for  it,  U2  refers  to 

U2  requests  U.,  U.  has  it  therefore  U 
gets  the  file  name  from  Uj . 

Some  of  the  questions  that  may  arise  when  a  user  accesses 
a  file  and  finds  it  locked  or  in  use.  Is  it  desirable  to  queue  a  user  for 


access  or  abort  him  from  the  system?  The  latter  can  be  inconvenient  but, 
suppose  the  file  was  being  modified  fcr  the  purpose  of  excluding  that  user  by 
removing  his  authorisation?  Then  truly  you  cannot  now  give  him  access  to 


the  file 
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Another  problem  associated  with  access  restrictions  is  bookkeeping. 
If  the  access  bookkeeping  is  kept  by  the  file  owner  himself,  the  operating 
system  overhead  over  the  total  system  will  be  reduced.  However,  the 
supervisor  has  ultimate  responsibility  to  enforce  the  file  owner's  access 
control  policy.  Possibly  each  source  file  could  maintain  lists  of  files  it  may 
directly  access  along  with  the  type  of  access  restriction  imposed.  The 
destination  file  upon  receiving  an  access  request,  checks  the  source  and 
operation  it  is  permitted  to  accept.  This  could  be  passed  to  as  many  files  as 
was  necessary. 

3.6  File  Restriction 

Basic  file  restriction  can  be  considered  to  be  a  function  of  the 
protection  afforded  the  memory  space .  Thus  the  file  owner  may  specify  a 
number  of  protection  restrictions  that  may  be  imposed  even  if  the  access  is 


valid. 

1 .  Read/Write-Examine,  oopy/update  files  or  write  new 
code,  modify  old  code,  etc. 

2.  Read  only  (re-entrant)  -  copy  code  but  cannot  change 
it  in  any  way. 

Read  Write 

3 .  Execute  only  (no  copy)  -  run  a  program  using  the 

Restrictions 

procedures  in  the  file  without  benefit  of  seeing  the 
code. 

Submit  data  and  receive  an  answer. 

4.  Read/Write  (single  process  only)  -  only  one  user  at  a 
time  allowed  access. 

5.  No  read,  write  -  No  copying  or  coding. 
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Boundary  or 
space  restrictions 


Processing 

Restrictions 


G. 


Boundary  restrictions 

7.  Modifyable/not  modlfyable  fields  in  records 

8 .  Specified  authorized  user  interaction  i .  e . , 
system  can  modify  anything  (R/W>  but,  user 
can  read  only.  (ROM) 

9.  Execute  only 

10.  Specified  size  bounds  on  new  records  added  etc. 
An  example  of  how  the  file  space  is  organized  is  illustrated  in  Figure  5 . 


File  Memory  Spaoe 


Access 
Restrictions 


Consider 
1(E);  S(R/W) 

as  an 
access 

restriction 


Intra  File 
Restric¬ 
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dress  & 
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Mechanism! 


Restrictions 
on  Accessed 
Memory; 

Locked 

During 

Process 


READ/WRITE 


READ  ONLY 
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The  meaning  of  the  J(E);  S(R/W)  access  restriction  would  be 
to  limit  user  J  to  an  execute  only  mode  while  he  is  in  the  accessed  space, 
while  user  S  is  restricted  to  Read  or  Write.  Thus,  the  actual  restriction 
on  the  file  for  a  specific  user  will  be  the  union  of  the  access  and  the  file 
restrictions,  viz.. 

Actual  restriction  ■ 

Access  Restriction  U  File  Restriction 

3.7  System  Performance,  Threat  Surveillance  Management 

Associated  with  any  secure  system  would  be  the  ability  to  trace 
and  record  all  accesses  of  protected  files.  Such  a  recording  function 
would  enjoy  the  same  degree  of  protection  as  the  access  control  routines . 

If  the  recording  function  is  to  produce  meaningful  data  it  cannot  be  snooped, 
modified,  or  aborted.  The  recording  function  could  record  information  such 
as  (1)  Access  path  associated  with  every  success ful  and  unsuccessful 
access.  (2)  What  did  the  recess  change,  read,  execute,  or  did  it 
restructure  the  file  or  change  the  access  paths. 

The  justification  for  implementing  such  a  function  go  far  beyond 
the  idea  of  merely  providing  a  security  trace  routine.  Consider  tits  large  problem 
of  evaluating  system  performance  and  efficiency.  Most  systems  are  optimised 
with  respect  to  the  manufacturer's  generalised  view  of  typical  operating  condi¬ 
tions.  In  the  field  the  model  doesn't  always  fit*  As  a  result,  many  systems 
undergo  evaluation  end  modification  in  the  field.  Essential  to  these  evalua¬ 
tions  are  statistical  studies  of  such  things  as  (1)  File  activity  (2)  Reliability 
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and  malfunction  detection  (3)  Security  effectiveness.  Thus  it  is  apparent 
that  the  recording  function  could  justify  itself  in  many  ways. 

3.8  Functions  of  a  System  Activity  Recording  Function 

(1)  This  is  an  Independent  watch  dog  of  activity  always  monitoring 
the  processes  in  parallel. 

(2)  Measuring  and  accounting- Billing  according  to  time  and 
processes  requested. 

(3)  Records  of  activity  would  also  be  useful  in  determining 
intermittent  faults,  etc. 

(4)  It  should  provide  simulated  threats  and  intrusions  into 
system  to  note  the  effectiveness  of  countermeasures. 

To  carry  out  these  activities  would  require  that  the  functions  have 

(1)  Parallel  processing  ability 

(2)  Access  to  all  registers 

(3)  Collaborative  computation  on  common  data 

(4)  Ability  to  freeze  system  for  purpose  of  taking  snapshots  of 
registers,  access  paths  and  terminal  intersections. 

Information  gathered  must  be  selective.  The  advantage  to  this  is  that  it 
requires  less  storage  space.  The  disadvantage  of  selective  data  gathering 
is  that  useful  information  may  be  lost  for  future  analysis. 

An  example  of  what  a  surveillance  funct<cn*could  do  is  the  technique 
of  threat  monitoring .  Threat  monitoring  is  a  logical  extension  of  the  password 
Idea.  This  approach  relios  on  the  detection  of  attempted  or  actual  penetration 
of  the  system  or  file  to  provide  real-time  responses  to  the  system  supervisor. 
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Monitorlny  uses  cancelling  of  activities,  tracing  or  post  facto 
analysis  to  aid  in  the  identification  and  classification  of  penetration 
attempts.  A  special  function  records  all  attempts  at  entering  a  file, 
whether  too  muc!  time  used,  etc,  and  reports  thip  to  the  file  owner  and 
the  user  so  appropriate  action  can  be  taken.  Suggestions  have  included 
mounting  of  removal  files  on  drives  with  special  disable  circuits.  Perhaps 
the  disk  pack  itself  could  be  filed  away  under  lock  and  key  much  like  a  tape. 

The  disk  pack  could  be  manufactured  in  such  a  way  as  to  preclude  its  use  on 
any  but  a  specified  drive  unit.  When  a  certain  file  is  called  for,  the  requester  is 
identified  and  the  owner  notified.  F, .  ermore,  the  disk  drive  itself  might  be 
enabled  only  with  the  proper  authority.  These  surveillance  functions  would 
insure  that  working  memory  space  is  wiped  out  after  every  completed  access. 

3.9  Threat  Monitoring 

What  follows  is  an  example  of  a  possible  threat  monitoring  scheme 
as  mentioned  in  the  reference  [9],  preceded  by  an  example  of  a  typical  pass-? 
word  scheme  in  common  use  today. 

STANDARD  METHOD: 

LOGIN,  MAN  2793, ACT  5-172 
PASSWORD? 

PRIVACY3 


FILE  NAME? 
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THREAT  MONITORING: 


CUSER‘S  CONVERSATION) 
LOGIN,  MAN  2793, ACCT  5-17-2 
PAS3WORD(5742)=? 

4527s. 

TRY  AGAIN .  PASS  WORD  (9  360=? 
69032. 

FILENAME: 

PRIVACY. 

OPERATION: 

SORT  RECORDS  BY  DATE 


(MONITORED  RECORD) 

10:14:08  TERMINALS.  2793, 
5-17-2,  LOGIN 

10:14:53  TERMINALS,  45273 

5742  UNSUCCESSFUL 
PASSWORD 

10:14:44  TERMINALS,  69032 
9360  PASSWORD  OK 


10:18:20  TERMINALS.  OPEN— 
PRIVACY-FILE 


10:18:20  TERMINALS,  SORT 
RECORDS  BY  DATE 


The  secure  data  bank  should  continually  be  tested  for  weak 
points.  Ideally  ,  the  bank  would  utilize  its  own  personnel  to  attempt 
penetrations  in  order  to  test  the  effectiveness  of  security  schemes. 

File  activity  studies  are  essential  to  the  continuing  efficiency  of  the 
system  as  inactive  files  may  have  to  be  purged  to  make  room  for  active 
users.  This  periodic  purging  would  be  the  result  of  information 
received  from  the  surveillance  function. 


3.10  Alternate  Protection  Schemes 

In  large  time  sharing  systems  such  as  the  CDC  6600  memory  must 
be  provided  some  routine  protection.  We  are  not  speaking  of  necessarily 
thwarting  covert  attempts  to  do  damage,  but  it  is  obvious  that  in  a  large 
utility  some  method  must  exist  for  preventing  accidental  damage  to  other 


programs . 
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For  one  thing,  a  user  must  not  be  allowed  to  interfere  with  the 
time  sharing  monitor  of  input/output  commands,  halt  commands,  etc.  The 
latter  capability  is  obtained  by  denying  the  user  certain  privileged  instruc¬ 
tions  generally  reserved  for  the  use  of  the  operating  system. 

Preventing  overwrite  and  other  calamities  is  generally  provided  by 
memory  protection  schemes  such  as  relocation  and  bounds  registers,  seg¬ 
mentation  and  paging.  Memory  boundary  registers  in  time-sharing  systems 
like  the  CDC  6600  prevent  this  interference  between  programs.  Registers 
are  used  to  store  the  upper  and  lower  bounds  of  a  program.  If  the  program 
attempts  to  address  any  program  segment  outside  of  its  range,  an  interrupt 
is  generated,  and  the  supervisory  program  takes  control.  On  the  6600  there 
are  p*o visions  for  the  handling  of  seven  such  programs  at  one  time. 

In  the  6600  each  program  is  assigned  a  control  point  for  the  execution 
of  that  job.  The  operatina  system  uses  control  point  zero  while  other  programs 
are  assigned  to  the  remaining  six.  The  operating  system  itself  cannot  refer 
to  locations  outside  of  its  own  field  length.  Only  the  peripheral  processors 
have  such  free  access  of  core.  A  requirement  of  memory  bounds  registers, 
however,  is  that  instructions  and  data  on  any  one  program  be  contiguous. 

Other  schemes  can  be  used  of  course  and  Richards  [9]  suggests  memory  protection 
by  two  methods: 

1.  Divide  main  memory  into  blocks.  Associated  with  each 
one  is  a  flip  flop  which  is  used  as  an  access  flag.  All 
blocks  are  set  to  one  if  they  can  contain  the  program. 
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If  program  references  are  made  to  a  block  not  containing 
the  program  an  interrupt  is  generated. 

2.  Another  method  attaches  extra  bits  in  each  word  to 
identify  each  program.  This  method  appears  to  be 
wasteful  of  bits  however,  it  can  be  used  effectively 
against  someone  Jumping  into  a  block  of  memory  with¬ 
out  proper  authority.  A  variation  of  this  scheme  is 
discussed  later  under  Static  Protection. 

All  of  these  methods  protect  contiguous  portions  of  memory  (real  or 
virtual)  from  an  alteration  by  an  errant  program.  They  do  not  provide  protec¬ 
tion  from  unauthorized  access.  This  is  generally  handled  by  the  access 
control  routines  mentioned  earlier. 

Grahamn  r7]  proposes  a  protection  scheme  at  the  hardware  level 
which  affords  protection  of  memory  in  a  more  versatile  manner  than  is  given 
by  a  simple  memory  bounds  register.  The  key  component  Grahamn's 
approach  is  the  segment,  where  a  segment  is  defined  as  a  contiguous  block 
of  words  whose  length  may  vary.  Some  computers  have  segment  addressing 
where  each  word  is  addressed  by  an  ordered  pair  of  integers  (S,W).  S  is  the 
segment  number,  and  W  is  the  word  number  within  the  segment.  S  ranges 
from  0  to  the  maximum  allowable  value,  and  W  ranges  from  0  to  the  current 
length  of  the  segment.  Associated  with  a  segment  is  its  descriptor  which 
contains  the  base  location  of  the  beginning  of  the  segment,  length  of  the 
segment,  and  the  access  indicator. 
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I 


Beginning 


Length 


DESCRIPTOR 


Access  Indicator 


The  access  indicator  indicates  the  mode  of  the  access,  slave 
mode  or  master  mode.  In  the  slave  mode  any  attempt  to  execute  privileged 
instructions  causes  an  interrupt.  In  the  master  mode  any  instruction  may  be 
executed.  If  the  segment  is  a  procedure  the  access  Indicator  tells  whether 
It  is  to  be  executed  in  the  s*ave  or  master  mode.  Finally  it  includes  a  fault 
bit  which  when  non-zero  causes  an  interrupt  on  any  attempt  to  reference  the 
segment  when  operating  in  the  master  mode.  If  the  fault  bit  is  non- zero* no 
access  at  all  is  permitted. 

For  every  segment  that  a  process  may  access  or  has  potential  access, 
the  corresponding  descriptor  resides  in  a  distinguished  segment  called  the 
descriptor  for  that  segment .  All  systems  will  have  large  numbers  of  descriptor 
segments,  one  for  each  process.  Whenever  a  process  is  executing,  a  register 
segment  for  the  executing  process, called  the  descriptor  base  register, indirectly 
defines  the  set  of  segments  to  which  the  execution  has  potential  access.  To 
Implement  layered  protection  an  additional  field  is  added  to  the  descriptor. 

This  number  field  is  called  the  ring  number. 


(Beginning  of  Segment  1  Length  I  Access  Indicator  I  Ring  No, 


DESCRIPTOR 


The  ring  is  an  ordered  disjoint  set  for  0  to  some  maximum  value. 


A  fault  will  occur  if  a  procedure  executing  in  ring  i  tries  to  execute 
in  ring  J  where  j  is  less  than  i.  However,  a  procedure  executing  in  ring  i 
has  access  to  a  segment  in  ring  k  if  k  is  greater  than  or  equal  to  i,  subject 
to  access  restrictions  imposed  upon  it  by  indicators  in  its  descriptor. 

Certain  classes  of  sphered  service  routines  can  be  given  a  range  of  rings  to 
operate  in  so  that  efficiency  may  be  increased, 

Grahamn's  scheme  has  disadvantages  in  that  it  rules  out  memories 
such  as  associative  memories  which  are  content  addressable  rather  than 
location  addressable.  Also,  if  a  data  bank  has  many  different  data  fields 
with  different  levels  of  access, each  datum  within  its  2  or  3  word  segment  may 
result  in  the  overhead  becoming  prohibitive  at  the  present  state  of  the  art. 
Lastly,  it  imposes  a  hierarchy  on  every  piece  of  data  that  is  in  the  data  base 
and  this  is  not  necessarily  desirable.  Dennis  and  Vanhorn's  re1 
scheme  attempts  to  accomplish  the  same  end,  but  suffers  from  the 
first  two  drawbacks.  As  mentioned  before  any  technique  attaching 
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authority  items  to  each  file  suffers  from  the  problem  of  duplication  of 
pertinent  authority  items  for  protected  fields  in  one  file. 

3.11  The  Role  of  the  Status  Word  In  a  Secure  Time  Sharing  System 

The  status  word  carries  the  information  needed  for  continuity  between 
programs.  The  status  word  however,  can  carry  more  than  just  information 
required  for  carrying  on  the  basic  program  in  a  time  sharing  system.  In 
a  machine  using  a  table  look  type  of  memory  addressing  scheme  (virtual 
addressing)  the,  basic  information  required  would  be  the  Address  Table  base 
entry  (Acb) ,  the  program  number,  and  a  pointer  to  the  register  contents.  The 
register  contents  is  the  information  contained  in  the  operating  registers  at 
the  time  a  program  was  cutoff  from  execution  having  exhausted  its  time  slice. 
We  must  now  hold  this  information  for  the  next  burst  of  execution  the  program 
receives.  The  information  we  must  keep  would  be  the  contents  of  the  A- 
register,  Q-register,  Instruction  register,  memory  address  register  (MAR), 
call  stacks  and  etc.  Since  register  content  information  is  only  a  temporary 
storage  and  it  must  be  loaded  and  accessed  quickly,  some  type  of  active 
memory  is  required,  which  is  usually  a  bank  of  registers. 

There  is  a  lot  of  information  that  could  be  carried  in  the  status  word 
that  would  make  the  system  more  versatile.  These  include  Addressing  Mode, 
Page  Size,  CPU  time  used,  Pointers  .o  a  crypto  key,  enabling  Pits  for  crypto 
units,  and  I/O  devices,  Passwords,  and  references  to  a  security  profile  for 
the  user-owner  through  capability  lists. 
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3.12  Status  Word  In  a  Multiprogramming  System 


Prog  no. 

Acb 

AM 

RCP 

Passwordj 

Pago  Size 

CPU  time 

I/O  L 

Directory 

Key 

Definitions: 

Prog  no.  -  supervisor  assigned  program  number 

Acb  -  Primary  address  table  base  entry  location 

AM  -  Addressing  mode  of  system  —  normally  set  to  the  relative 
addressing  mode  requiring  that  a  virtual  address  is  trans¬ 
formed  into  a  physical  address  by  table  lookup.  In  case 
of  failure  of  the  address  table  it  may  be  set  to  the  direct 
addressing  mode  in  order  to  bypass  the  address  table. 

RCP-  Register  Contents  Pointer-  sets  a  pointer  to  the  bank  of 
registers  which  comprise  the  Register  Contents  Table. 

The  RCT  holds  the  contents  of  registers  at  the  time  the 
program's  execution  time  slice  is  completed.  The 
operating  registers  are  reloaded  from  this  table  when 
execution  of  a  partially  completed  program  is  continued. 

Page  Size  -  A  system  option  for  varying  the  page  size  for  a  particular 
operating  environment  for  purposes  of  optimization. 

CPU-time  -  Accumulative  elapsed  time  clock  for  accounting  and 
surveillance  putposes. 

I/O  Lock  -  When  enabled,  locks  out  all  I/O  devices  except  the  ones 

authorized  by  the  I/O  lock  field.  Each  I/O  device  is  assumed 
to  havo  its  own  identification  key. 
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Directory  -  Pointer  -  Pointer  to  the  access  restriction  and  file  restriction 
table  which  contains  the  permitted  modes  and  paths  of  access 
and  any  file  processing  restrictions  imposed  upon  the  user  of 
the  file  by  the  owner.  Contains  user  certification  and  capa¬ 
bilities.  In  the  case  of  open  or  unrestricted  files  this  field 
would  contain  a  special  code. 

Key  -  If  equipment  has  a  cryptographic  car  ability  for  transmission 
between  two  points /then  a  pointer  to  th  a  key  used  would  be 
kept  here.  The  location  and  contents  of  the  key  storage  is 
kept  secure  and  cannot  be  accessed  by  a  user.  The  keys  are 
normally  changed  daily  or  more  often  on  request.  This  could 
be  accomplished  by  a  computer  generated  circular  list  suffi¬ 
ciently  large  so  as  to  insure  that  the  keys  were  not  used  with 
any  predictable  regularity.  Whenever  the  proper  enabling 
bit  is  set  in  the  status  word, the  supervisor  will  cause  the  top 
member  of  the  key  list  to  be  loaded  into  the  cryptographic  unit. 
Associated  with  each  key  is  the  program  number  to  which  the 
key  applies.  The  supervisor  meanwhile  cues  up  the  proper 
key  at  the  receiving  end  unless  the  information  is  to  reside 
at  a  remote  location  in  an  encrypted  form,  in  which  case  the 
key  is  stored  locally  and  retrieved  whenever  that  fUe  is 
fetched  from  the  remote  location  for  local  viewing  or  processing. 


If  the  only  portion  of  the  system  to  be  protected  is 


the  conversation  between  a  central  site  and  remote 
terminals,  then  once  a  key  is  used  it  is  destroyed  or 
discarded.  If  the  terminal  is  storing  information  at  a 
remote  file,  then  the  key  must  be  stored  with  the  file 
to  facilitate  its  retreival  at  a  later  date,  or  as  mentioned 
previously,  it  must  be  stored  locally  for  purposes  of 
decoding  the  information.  Certainly  it  is  not  necessary 
that  all  information  be  encrypted,  and  not  all  conversation 
or  storage  would  utilize  this  approach  to  protecting  the 
data. 

3.13  Protecting  Working  Memory  by  Virtual  Addressing 

In  most  systems ,  a  typical  program  sequence  is  mapped  into  core 
or  memory  by  setting  a  lower  address  base  limit  and  an  upper  address  limit 
between  whlc(i  the  Instructions  are  loaded  into  memory.  If  the  program 
exempts  to  jump  to  an  address  outside  of  the  limits  specified  by  the  super¬ 
visor  at  the  time  the  program  was  loaded,  then  an  interrupt  is  generated. 

This  scheme  works  well  and  is  in  common  usage  today,  but  it  nevertheless 
has  some  limitations  from  the  security  point  of  view.  It  is  subject  to 
defaulting  due  to  hardware  failure .  It  does  not  allow  protection  of  select 
portions  of  memory  by  the  programmer.  It  requires  periodic  reshuffling 
of  code  to  make  room  for  entering  programs ,  necessitating  housekeeping  chores . 
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000- 

Typical  Prog, 
word  sequence 
500- 

Core  address  = 
base  address  + 
relative  address 


Address 


1000-i 


500  +  1500 
2000 


lower 

Limit 

1500- 


2000- 


Prog 

C 

Prog 

C 

'////// 

End 

_ 

7ZZM 

In  a  virtual  addressing  scheme  the  programmer  does  not  use  an  actual 
core  address  In  writing  his  program.  All  addresses  are  virtual  and  relative, 
Although  it  appears  to  the  programmer  that  he  is  directly  addressing  core, 
in  reality  he  is  being  mapped  into  core  by  a  transformation  table.  Let  us  look 
at  how  this  would  appear  in  its  simplest  form.  Basically  the  current  instruc¬ 
tion  being  processed  Is  sent  from  the  program  instruction  counter  to  an 
address  generator.  The  address  generator  receives  as  input  the  leftmost 
digit  or  digits  of  the  instruction  identification  counter.  The  leftmost  digits 
thus  correspond  to  the  segment  being  processed.  This  number  could  be 
varied  in  relation  to  the  page  size  utilised  to  obtain  the  most  advanta¬ 
geous  page  size  and  segment  size  ratio.  The  other  input  the  address 
contents  base  or  Acb  which  is  initially  assigned  by  the  supervisor  on  the 


basis  of  core  requirements. 


Address  Generator  Segment  Relative  .Address 


No.  j 

r  r 

< 

r  Acb 

1 

1  1  7 

I 

Program  Counter 

►"  Acb  +  1  *  4000 

In  the  example  shown,  the  address  generator  has  been  given  the 
base  entry  in  the  address  table  as  Acb  4  1 .  If  the  instruction  counter 
had  read  2111,11  would  have  corresponded  to  Acb  +  2.  These  values 
serve  as  direct  table  lookup  indices.  In  the  example  shown. 

Acb  +  1  «  4000 
Acb  +  2  -  9000 

These  numbers  are  the  physical  addresses  in  core  of  the  start  of  pages 
1  and  2  of  this  program.  Thus  instruction  1117  is  found  by  adding  the 
rightmost  number  to  the  table  entry  after  blanking  the  segment  portion. 
This  gives  4000  ♦  0117  *  4117  as  the  physical  address  in  core.  The 
programmer  Is  thus  unaware  of  the  transformation  .and  core  appears  to  be 
directly  addressable. 
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The  address  table  also  provides  a  convenient  place  to  store  other 
information  important  to  the  program.  When  the  program  is  initialized  and 
the  base  entry  into  the  address  table  is  specified, a  field  in  the  table  is 
loaded  with  the  program  number  assigned  by  the  supervisor.  A  check  can  be 
made  on  the  program  number  before  the  jump  to  the  physical  address  is  taken. 

This  check  provides  a  way  to  verify  the  fact  that  the  program  addressing  that  page 
in  memory  is  in  fact  the  one  to  which  that  page  was  originally  assigned.  It 
is  possible  to  store  codes  relating  to  the  type  of  access  and  file 
operations  to  be  permitted  the  user  during  run  time .  Thus ,  once  a  set  of 
access  profiles  are  established  for  a  user,they  are  available  for  the  dura¬ 
tion  of  the  execution  and  need  not  be  reinitialized.if  the  program  is  waiting 
for  completion  as  a  result  of  an  interrupt. 

The  address  table  may  also  be  utilized  to  store  a  random  number 
to  be  used  in  a  Static  Storage  protection  scheme  to  be  discussed  in  the 


PART  IV 


STATIC  PROTECTION 

4.1  Privacy  Transformations  or  Encryption: 

One  obvious  but,  troublesome  way  to  improve  security  in  a  system 
is  to  arrange  information  in  such  a  form  that,  if  it  is  compromised  or  stolen, 
it  will  be  of  no  use  to  the  party  or  parties  obtaining  such  information.  This 
means  performing  some  sort  of  transformation  on  the  data  as  it  is  trans¬ 
mitted  or  as  it  is  loaded  into  a  file.  This  involves  some  encoding  or 
encrypting  process  whereby  the  subject  data  bears  no  resemblance  to  its 
original  form  yet  still  contains  the  original  information.  The  successful 
decoding  of  this  information  would  be  possible  only  for  those  having  the 
"key"  or  inverse  transformation  algorithms.  As  a  result,  wiretapping  and 
other  covert  methods  to  obtain  privileged  information  would  be  minimized 
as  threats.  There  are  numerous  cryptographic  schemes,  and  many  of  them 
are  used  in  military  communications  networks.  Such  schemes  have  not 
been  used  v  dely  in  civilian  applications  because  of  their  inherent  high 
cost.  Ideally,  this  problem  could  be  lessened  by  designing  the  crypto¬ 
graphy  equipment  into  the  basic  system  design.  It  is  certainly  not 
necessary  that  all  parts  of  a  system  be  subject  to  the  devices  scope.  If 
the  crypto  device  is  a  part  of  the  hardware,  it  can  be  expanded  and 
tailored  to  fit  any  requirement. 
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To  date  most  transformations  have  been  made  for  the  purpose  of 
communications  between  "secure"  points,  such  as  from  one  terminal  to 
another.  Whether  a  point  is  secure  or  not  is  part  of  a  larger  problem, 
that  of  total  system  security  as  opposed  to  basic  file  security.  An  obvious 
benefit  of  a  transformation  is  that  the  burden  of  file  security  is  relieved 
during  periods  of  transmission  from  one  point  to  another.  But,  what  about 
security  of  the  facility  and  of  the  file  itself  while  it  resides  in  memory,  on 
a  disk  or  tape  or  while  it  is  in  execution.  A  start  might  be  made  by  encoding 
certain  classes  of  data  as  it  is  put  into  the  file.  This  procedure  would 
make  the  data  secure  even  if  access  management  techniques  break  down  and 
the  file  is  unintentionally  displayed. 

If  such  information  residing  in  a  file  is  encrypted  and  is  accessed 
by  a  remote  terminal,  it  is  possible  to  encode  the  information  again  prior  to 
transmission.  The  net  result  would  be  a  message  that  is  double  encrypted 
requiring  two  decoding  steps  at  the  receiving  end.  Such  a  system  is 
illustrated  in  Figure  (6) . 

4.2  Problems  Associated  with  Privacy  Transformations: 

There  are  many  problems  to  be  solved  in  the  area  of  cryptographic 
design  as  related  to  a  computer.  One  yardstick  determining  the  validity 
of  a  design  is  whether  or  not  it  can  be  discussed  openly  without  someone 
pointing  out  a  weakness.  Certainly  any  procedure  must  be  of  §  nature  that 
engineers  and  computer  scientists  can  talk  about  it  freely  without  in  any 
way  affecting  its  usefulness.  Baran  r21  points  out  that  one  reason  why 
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cryptographic  equipment  has  been  so  expensive  is  the  insistence  that  it 
be  absolutely  secure.  In  a  computer  application,  the  cryptographic  equip¬ 
ment  could  be  something  less  sophisticated  than  is  required  for  national 
defense.  It  may  be  wiser  to  purchase  more  equipment  of  lesser  sophis¬ 
tication.  The  philosophy  behind  this  reasoning  is  that  while  a  determined 
party  might  occassionally  break  a  code  the  net  result  would  be  much  less 
information  lost  over  the  long  haul.  Most  people  would  not  have  the 
patience  or  time  necessary  to  decode  large  streams  of  information  looking  for 
a  particular  iteir 

Message  interception  can  be  made  difficult  for  someone  knowing 
the  code  by  chopping  the  message  up  into  a  series  of  segments  which  are 
transmitted  over  different  lines  together  with  other  traffic  and  garbage.  It 
then  berames  almost  impossible  to  reconstruct  the  message  even  if  the 
code  is  known.  Following  a  technique  in  long  use  in  military  communica¬ 
tions  ,  the  line  can  always  be  filled  with  redundant  traffic  or  garbage  so 
that  there  are  no  apparent  periods  of  inactivity.  This  procedure  makes 
the  beginning  and  termination  of  a  message  difficult  to  determine. 

The  point  is  that  while  the  overhead  may  be  great,  we  can  buy 
any  level  of  security  we  are  willing  to  pay  for.  A  basic  problem  is 
what  do  you  do  with  a  sensitive  program  when  't  is  in  execution.  When 
a  program  is  brought  in  from  an  outside  source,  or  filed  into  central  memory 
for  the  purpose  of  execution  what  do  you  do  with  it?  Do  you  leave  it  in 
encrypted  form  while  it  is  in  xecution  or  do  you  transform  it  back  to  its 


original  form.  If  It  is  left  in  encoded  form,  how  do  you  design  equipment 
that  can  execute  an  encrypted  program.  Ideally,  the  programmer  or  operator 
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should  not  know  the  particular  transformation  utilized  during  the  execution 
period.  At  the  present,  however,  any  program  probably  would  have  to  be 
decoded  before  the  arithmetic  unit  could  produce  meaningful  results.  But, 
what  if  someone  is  looking  at  your  arithmetic  unit  while  the  program  is 
executing?  If  he  does  so  and  the  information  is  not  in  an  encrypted  form 
the  whole  purpose  of  the  scheme  is  defeated. 

4.3  Cryptographic  Schemes: 

Most  cryptographic  schemes  in  use  attempt  to  average  or  transform 
a  text  into  some  hopefully  unrecognizable  form.  This  is  accomplished  by 
(a)  permutation  of  text  symbols  (b)  reducing  the  occurrence  of  high  frequency 
symbols  characteristic  to  the  language  used  (i.e.  leveling).  Obviously 
the  leveling  process  requires  some  substitution  or  transformation  whereby 
the  high  frequency  characters  aro  substituted  for  by  low  frequency  symbols , 
Certain  vowel-consonant-consonant-consonant,  and  vowel-vowel  combina¬ 
tions  are  clues  to  the  word  used  in  a  certain  context.  The  example  shows 
how  high  frequency  letters  in  the  plain  text  can  be  substituted  for  by  several 
cipher  text  letters  so  as  level  the  text. 

Example  of  Leveling  Technique  for  Given  Character  Occurrence: 
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End  to  end  encryption:  In  this  approach  a  cryptographic  device 
is  connected  to  one  end  of  a  line  adjacent  to  the  user  and  a  reciprocal  unit 
is  placed  at  the  receiving  end.  Figure  (6)  shows  such  a  unit.  Figure  (7) 
demonstrates  a  method  suggested  by  Baran  F2-1.  The  transformation  used 
in  Figure  (7)  uses  two  pseudo-random  binary  streams  generated  by  two  "key" 
generators  at  each  end  of  the  link.  The  generator  at  one  end  generates  a 
long  non-periodic  digital  stream  which  is  combined  with  the  outgoing 
message  by  some  logical  transformation.  The  resulting  combined  stream  is 
the  encrypted  text.  This  process  is  a  logical  proce~  ind  is  complemented 
at  the  other  end  to  decode  the  message.  One  problem  Baran  points  out  is 
that  the  generator  must  have  statistical  properties  that  make  it  appear  as  a 
totally  random  digital  noise  generator.  Additional  facilities  must  be  included 
for  synchronizing  the  time  base  clocks  at  each  site.  Any  transformation 
used  to  combine  the  text  and  the  key  must  be  generated  chatacters  of  equal 
probability  such  as  the  binary  values  1  or  0. 

4.4  The  Crypto  Process: 

Examining  the  algebra  of  the  technique  of  Figure  (7),  a  "logical- 
add"  circuit  is  used  to  perform  the  equal  probability  of  transformation  required 
to  allow  reciprocal  operation  at  the  receiver.  The  operation: 

M  ©  K  =  E 

E  e  K  =  E 
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Where  M  =  the  original  message 
K  =  the  key 
E  =  the  encrypted  text 

=  logical-add-transformation-ex-or 

The  truth  table  shows  an  ex-or  or  add  without  carry  transformation  which 
Kas  the  reciprocal  properties  required.  Of  course  more  complex  operators 
are  possible. 

Unbreakable  ciphers  are  possible  by  using  an  infinitely  long 
non-periodic  key.  However,  it  would  be  necessary  using  this  complemen¬ 
tation  technique  to  r  .ore  the  key  at  both  the  transmitting  and  receiving  end. 
Considering  the  high  data  rates,  the  storage  requirements  for  such  keys 
would  likely  prove  prohibitive. 

Keys  should  be  chosen  that  will  not  reveal  any  periodicity  for  the 

length  of  time  they  are  used.  It  would  be  feasible  to  change  such  keys 

(Figure  8)  dally  to  circumvent  this  diffi<~  'ty.  It  is  possible  to  generate 

long  series  of  bits  from  a  moderate  length  key  by  utilizing  all  the  possible 

combinations  a  finite  length  binary  key  possesses.  The  key  length  that  can 

N 

be  generated  by  a  key  of  length  N  =  N2  ,  where  N  is  the  number  of  flip- 

N 

flops  or  storage  elements  in  the  series  generator.  If  N  »  50,  N2  * 
50,000,000,000,000,000.  Such  a  key  must  be  chosen  carefully  however, 
so  as  to  Insure  that  its  statistical  properties  do  not  raven1  its  nature  r2^. 

The  complementation  technique  demonstrated  in  the  previous  section 
is  known  as  the  Vomam  code  and  was  originally  applied  to  telegraph  trans¬ 
mission.  This  technique  could  also  be  bsc/ul  in  static  storage  of  information. 
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Whan  applied  using  a  non-periodic  totally  random  one-time  key  the  system 
has  been  touted  as  an  "unbreakable"  system  TO], 

4.5  The  Possibility  of  More  Complex  Keys: 

If  the  need  is  felt  for  some  complex  keys,  such  keys  can  easily  be 
generated.  Previously  we  were  considering  only  a  very  simple  key.  By  using 
a  multiplexing  drum  to  store  the  key  and  by  using  multiple  magnetic  heads  to 
input  and  output  the  key,  the  number  of  possibilities  is  extremely  large. 

Figure  (8)  The  three  drum  bands  could  serve  as  follows;  the  first  band  is 
used  to  store  the  key  used  in  decrypting  the  last  message,  the  second  drum 
band  stores  the  deciphered  text  in  the  clear  that  has  been  derived  from  the 
old  key.  The  third  band  stores  the  new  key  generated  by  the  black  box  Z. 

If  A,  B,  &  C  represent  three  heads  spaced  some  specified  number 
of  bits  from  each  other  on  the  multiplexing  drum,  then  D,  F.,  and  F,  would 
represent  a  second  set  of  heads  containing  bit  patterns  from  the  clear  text. 
These  form  six  separate  inputs  to  the  black  box  Z  which  can  permute  these 
inputs  into  a  number  of  outputs  for  the  new  key  which  is  stored  on  band 
three. 

Consider  six  different  heads  to  form  six  separate  inputs.  There 

are  many  ways  six  Inputs  can  be  atranged  to  form  separate  and  distinct 

output  functions.  Any  Boolean  function  con  be  expressed  as  the  logical 

sum  of  a  series  of  mlntorms.  The  minlcrms  being  the  logical  product  of  the 

26  20 

inputs  to  each  head.  For  a  six  term,  six  input  function,  there  are  2  or  10 
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allowable  combinations,  where  the  number  of  combinations  can  be  computed 
2N 

from  the  relation  2  if  N  is  the  number  of  variables.  Complex  logic 
circuitry  may  be  required  in  some  circumstances  but  may  be  simply  realized. 
By  using  rather  simple  techniques  such  as  the  one  discussed,  it  is  possible 
to  add  tremendous  complexity.  There  are  other  approaches  to  encrypting 
data.  We  shall  now  investigate  and  evaluate  some  of  them. 

4.6  Evaluation  of  the  Vernam  Scheme 

To  study  the  overhead  associated  with  the  Vernam  scheme  two 
short  computer  programs  were  written  which  take  a  message,  encode  it, 
and  then  decode  it.  Timing  evaluation  was  made  of  the  time  required  to 
encode  and  decode  the  message.  This  was  done  to  gain  an  insight  into 
the  overhead  associated  with  using  the  Vernam  method  for  static  storage  of 
information . 

The  two  programs  used  the  Vernam  technique,  however,  the  first 
program  uses  a  periodic  key  of  60  bits  or  one  computer  word,  as  this  is 
the  standard  word  length  on  the  CDC  6600,  This  key  was  used  as  many 
times  as  was  necessary  to  cover  the  text.  The  other  program  used  a  non¬ 
periodic  key  that  was  at  least  as  long  as  the  message.  This  approach 
helps  to  alleviate  the  frequency  problem  inherent  with  a  periodic  key.  As 
will  be  shown,  the  one-time  key  is  a  suporior  method  from  a  theoretical 
point  of  view  but,  it  is  burdened  with  the  overhead  problem  of  the  storage 
of  long  keys  and  the  generation  of  such  keys  having  the  proper  statistical 
properties.  All  of  these  problems  increase  overhead  of  the  system. 


The  periodic  key  demonstrates  one  of  its  weaknesses  when  the 
standard  internal  representation  is  compared  to  the  scrambled  text.  A  ten 
character  word  full  of  blanks  is  represented  internally  as  5555555555; 
whereas,  in  the  scrambled  text,  the  representation  is  apparently 
<=  )  -  %%9%  7.8.  This  code  could  be  used  as  a  starting  point  to  find 
the  key.  For  example,  since  it  is  known  Jiat  we  are  dealing  with  a  recip¬ 
rocal  process,  (assume  the  snooper  knows  as  much)  we  can  examine  the 
encoding  algorithm  E  ^  K  =  M  and  the  decoding  algorithm  E  m  K  =  M, 
substitute  and  get  E^  K  m  K  =  E.  Thus  if  the  key  is  applied  twice  the 
message  is  recovered,  since  K  =  E  and  in  the  <  in  the  CDC  display 
code  is  72  octal  or  111010  binary  and  a  blank  is  55  octal  or  101 101  binary: 
111010  *=  Encrypted  letter 

0  101 101  =  Unencrypted  blank 

010111  as  Recovered  key  letter 

This  is  27  octal  or  W  in  display  code.  Similarly  all  other  key  letters 
could  be  found  to  be  WAGARRISON.  Knowing  the  key,  nothing  is  secret. 

The  problem  is  complicated  in  the  non-periodic  key  system  as 
discovered  by  the  Army  Signal  School  cryptologists  10]  and  commonly 
referred  to  as  the  "one  time  system" .  When  the  basic  Vernem  system  using 
a  random  key  and  the  non-ropeating  key  are  combined,  the  result  is  an 
impressive  cryptographic  technique.  The  system  is  both  theoretically 
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and  practically  unbreakable.  Even  if  time  is  no  object, the  system 
is  unbreakable.  By  comparison,  some  systems  are  unbreakable  only  because 
time  is  limited  while  the  usefulness  of  the  encoded  information  can 
be  realized. 

The  Vernam  method  does  not  lend  itself  to  frequency  analysis  techniques  or 
linguistic  trait  examinations.  There  is  no  way  of  sorting  out  any  rec  urring 
traits  because  the  key  is  totally  random  and  does  not  generate  any  in¬ 
ternal  signs  as  indicated  in  the  specific  example.  Trial  and  error 
should  eventually  lead  to  the  plaintext' but  while  it  would  bring  out 
the  true  plaintext, it  would  also  bring  out  every  message  of  the  same 
length.  If  every  four  letter  key  were  tried  on  the  first  four  letters  of 
an  encoded  text, the  result  would  merely  be  a  list  of  all  possibly  com¬ 
prehensible  four  letter  words.  Time  for  the  encodinc/decoding  with  the  one-time 
key  system  is  the  same  for  dl  practical  purposes.  The  avetage 

_3 

encode  decode  time  tor  the  twu  cases  was  2  X  10  sec  although 


the  first  message  was  5760  bits  long  while  the  second  was  480  bits 


long.  Evaluating  the  cost/bit: 

Case  I  (periodic  key)  12  cards  X  80  X  -  -  5760  bits 

2  x  iff  ^ 

%  Over  head  =  f--r~ — X  100%  «  .658%  based  on  .304  sec. 

.304 

of  central  processor  (CP)  time 


Cost/blt  =  =  1.141  X  10’4% 


r>  o  n  r>  on 


C 

r 

C 

C 

f 


c 


c 

c 


c 


*•*•****#***•*»>■  "•****#« ###*#*####*  #»*##  «<*«*••»•••»••••••*•«#«««*« 

•  « 

fl  TtCHNlOUf.  F(JW  T^F'YOM?  :  I  ON  * 

*  PFPiUUlC  ngv  * 

*  « 

«»#  <n»  ****##«»**##*«###*#  #  ###*##  »  #  #  #  0  tt  ^  #  #  #  v  ^  ^  #  #  #  #  #  #  #  #  #  #  #  #  #  #  # 

PRUU«ttif  tNCOIJt  I  INPUT  *  OUTPUT) 

;.'  I  4t.1'*  il  U'M  M  (  1  .'0  ) 

OA  I  4  ''/ln(i«ln  / 

iv  a  Pf.rt  «um  M^SSrtot  OF  yP  T*  1?  oftU  CAQnS  ft T  rt 

C^MPCT  F-x  w(j*Ub  nt.rt  Can  Li 

lo4*  N 


1 1\ p u  I  HtSSflGt  T  .i  bfc  EwcnnED 

Ht.Au  1  131  <N (  1 )  >  1  a  A  »  ,<j ) 
ECHO  Pwlwr  ''Kabul: 


‘'Hl'i'  1  j3 

PRliv  T  1 .1 7  «  (MI)*  I  s  1  .  N) 

P  H 1  »m  I  IuTEhnAu  jCIAL  Eqpm  Qf  i^itssAPF 

P R 1  tN  ( 

Print  \  ;h,  (M( I) ♦  I  S  1  ,  N) 
ivfcY  a  1  ^hwa(jAKH)  SUn 

ScPft^pl.t  L  RfcPHfc^FNTaT I Oi\j  Op  ^p«SanE 

Call  bFCMNU  dipt) 

HR  InI  luH.  fi^t 

no  io  \  *  u  <•• 

lu  MU  s  ('•i(I)fM«,'M#NEY),  OW  •  (  KEY  »A»»\,P(T)  ) 

Call  bECONU  ( 1 1-t > 

Pr  I  NT  to  A,  U*£ 

bc«MMdl.t.)  1\1E.HuaL  MF.SS REPRESENT  i\T  ton 

Eh  I x I  1 u0 

print  10?*  (M(i)»  1  s  1 ,  ro 
l' vSCWAF'tfLE  p'tbS  ot 
CALL  PKCONU  (Tlvt) 


N«  1  X  I  1  0  4  •  ll  At 
00  2t»  I  a  It 

2l»  P  <  I  *  *  (  *  <  1  >  «  >  •  #<>  *Kfc  V  )  *r>R.  (nt  Y  •  a  ,  ,K  ,M  (  T  ) ) 

CALL  >EC0nU  Hit) 

PHlxl  l'»Af  T 1  -it 

Phi  * I  UnScHaMhLcU  Mf.SSAr,E 
or  1  of  )u 

P  H 1  t't  T  1,7*  (MU)  *  I  •  It  N) 

100  FORMAT <l?X««iCHAMrtLEU  INTERNAL  HForFsFFT  <M  ton#,/) 

101  FORMA  1  ( i2Xt*«tCuVEPEU  Tp*T  aFTEp  OEC<TOTNR*«/) 

102  F0H  MAT  (  i?x,#  Internal  DISPLAY  COOF  FOPm  OF  MESS  ftGF#./) 
10J  FORMA  T(12«»«MtSSA(»E  10  «F  ueCOUpn**/) 

104  FORMAT  ( IP) 

105  format  (baia) 

lot  pormAj  U2x«*o2i>) 

10?  format  (12X,«ai. ) 

10B  FORMAT  (  12* •  F**J) 

EnU 


MESSftOE  IU  ttE  OfcCOUtU 

nob  is  rut  Tine  for  all  r»oon  men  to  come  to  the  Air>  of  thUr  country. 

I  never  met  A  man  1  uiu  NOT  LlNt— -MILL  RRQfRS 

why  IS  IT  Be  REJOICE  aT  BIRTH  and  *EE*  aT  FUNERALS  1%  IT  BtCAUSp  BE  mR£ 
MC^mS.  mT  COUNTRY  *aY  SHf  aL»AvS  be  »I«mT— «UT  right  ok  BRONO  — M* 
COUNTRY—  —  STEPHEN  l»EL.|-U*. 
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c  #**#*#*#*#•«#*####*#•*######•*•#*##•#**#*##*#***••**•####••*»#*## 
c  * 

C  *  VERNAM  ENCRYPTION  METHOO  FOR  A  ONE  TIME  KEY 

c  * 

c  #**#*#*#*#•####*#♦#**###*##••••••*#•##••*#•##•••••##•*##••#••*  •• 

PROGRAM  ENCODE  (INPUT*  OUTPUT) 

DIMENSION  M(100) «KEY(100) 

DATA  M/100MH  / 

C  N  «  32  THIS  ENCRYPTION  USES  A  ONE  TIME  KEY  WHICH  MUST  BE  AS 
C  LONG  OR  LONGER  THAN  THE  MESSAGE  TO  BE  ENCODED 

READ  104.  N 

C  REAO  KEY  TO  BE  USED  TO  rE  USED  TN  ENCODING  MESSAGE 
READ  1QS>,  (KFVm,  I  »  1*  N) 

PRINT  112 

PRINT  107.  (KEY ( I ) «  I  ■  1.  N) 

C  INPUT  MESSAGE  TO  RE  ENCODED 

REAO  10P.  (M(I).  I  •  1.  N) 

C  ECHO  PRINT  MESSAGE 

PRINT  103 

PRINT  107,  (M ( 1 ) .  I  ■  1,  N) 

C  PRINT  INTERNAL  OCTAL  FORM  OF  MESSAGE 

PRINT  109 

PRINT  106,  (M ( I ) ,  I  •  1,  N) 

C  scramble,  internal  representation 

call  SECOND  (TIME) 

PRINT  lOB,  TIME 
DO  10  I  ■  1,  N 

10  M(I)  >  (M(I).A.,N,KEY(I)).OR,(KEY(I).A..N,M(T)) 

CALL  SECOND  (TIME) 

PRINT  1QB,  TIME 

C  SCRAMBLED  INTERNAL  MESSAGE  REPRESENTATION 

PRINT  llo 

PRINT  107*  (MU)  •  I  «  1,  N) 

C  UNSCRAMBLE  MESSAGE 

CALL  SECONO  (TIME) 

PRINT  lOB,  TIME 
DO  20  1  m  1*  N 

20  MCI)  «  (M(I).A*.N,KEY(I)).Or,(KEY(!).A,,N,M(I)) 

CALL  SECOND  (TIME) 

PRINT  108*  TIME 

c  print  unscrambled  message 

PRINT  ill 

PRINT  107*  (M(I)t  I  •  1,  N) 

103  FORMAT (//»10X,*  MESSAGE  TO  RE  ENCODED*,//) 

104  FORMAT  (12) 

105  FORMAT  (8A10) 

106  FORMAT  (IX,  4020) 

10T  FORMAT  (IX,  AA10) 

106  FORMAT  (  10X,  FS,3) 

109  FORMAT  (//,10X»*  OCTAL  FORM  OF  DISRLAY  CODE*,//) 

110  format  <//,iox, •scrambled  TEXT  OF  ENCODED  MESSAGE*,//) 

111  FORMAT  <//»10X«*RECOVEREO  TEXT*,//) 

112  FORMAT  UOX’,  *C  TIME  KEY*,//) 

END 

ONE  TIME  KEY 


THIS  IS  THE  KEY  USED  TO  ENCOOE  Th?S  MESSAGE— IT  CONSI0T  OF  •  WORDS  PER  CARO  OR 
400  BITS  PER  CARO,  SINCE  THIS  KEY  MUST  BE  AS  LONE  AS  TmE  MESSAGE  WHICH  IS  4 
CAROS  LONS,  THIS  KEY  IS  OF  NECCESITY  AS  LONG  OR  LONSER,  THAT  MAKES  THIS 
KEY  490  SITS  PER  CARO  X  4  C**OS  OR  A  TOTAL  OF  1920  BITS  IN  ITS  ENTIRIETY, 


MESSAGE  TO  8E  ENCODED 


NOw  is  the  TIME  for  all  good  men  to  come  to  thf  aid  of  their  country. 

THE  EYES  OF  TEXAS  ARE  UPON  YOU  ALL  THE  LIVE  LONG  DAY*  00  NOT 
THINK  YOU  CAN  ESCAPE  THEM  FROM  NIGHT  TILL  EARLY  IN  THE  MORN, 

THE  EYE'S  OF  TEXAS  ARE  UPON  UPON  YOU  TILL  GABRIEL  BLOWS  HiS  HnRN. 


OCTAL  FORM  OF  DISPLAY  CODE 


16172755U2355241005552*!  U505550A1 7225501  l4i45S07l7l7A455i505lG5S?4l7S503m505  j 

552417552410055501 110455l70655?4lft051 1225503172516242231575555555555555555555555  j 

5555555555552410055505310523551 704552405300 123550122055525201^165531172555011414  j 

55241005551411260555141716075504013157550417551617245555555555555555555555555555 
24l0lll6l3553il72555030li65505?3010l2C055524l00,9l55S0622l 715551611071024552411 14  I 

14550501221431551 1165524 1 00555151 T22165755555555555555555S5555555555555555555555  j 

24100555053105235517065524053001235501 2205552520 171655252017165531 172555241 11414 
55070102221105145502141727235510112355101722165755555555555555555555555555555555  | 

1.W6  1 

1.998  ’ 


scrambled  text  of  encoded  message 


ZG3^yZ-«*1M/4BH1  Si  W  (*XC  8ALK(H/Z*?1  NJ3V«SjKlA0  RFj-»E2*+GCQt  T  GJGIIM  •»»  C  71 
INv  ,9  Q/i  K/p«2BBAVQ0P/»FM9E2DK**fl  -.U6N/-  *V  EX  M1RS*A*T)  ,wN)  K7C*9.  ♦  9-.  I 
•  WlOJX  U  0)»*Z*L  *JU1  20/HSS1JN.KZN1H  U76  >KF»C*  EA8SMWP57FF,*  5»-/-.  +*9-. 

4M1  Z<3-*.FR-»AU2S«*.  A  M2P8tT«K?  V24«42CX«K«MT9Y/SY6M3G^*  2  A()Afl) 8*9I9/+WB 
2.005 
2.007 


RECOVERED  TEXT 


NOW  IS  THE  Time  for  all  GOOD  MEN  to  come  to  the  AID  of  THEIR  COUNTRY, 
THE  EYES  OF  TEXAS  ARE  UPON  YOU  ALL  THE  LIVE  LONG  DAY,  00  NOT 
THINK  YOU  CAN  ESCAPE  THEM  FPOM  NIGHT  TILL  EARLY  IN  THE  MORN, 

THE  EYES  OF  TEXAS  ARE  UPON  UPON  YOU  TILL  GaBRIPL  BLOWS  HjS  MORN, 


_  ,  . .  .  »  .  ... _ characters  ..  6  bits 

Case  II  (one-line  key)  4  cards  X  80 - : - X  ~~ - 

card  character 


=  480  bits, 


2  X  10~J 

%  overhead  -■ - rrc - X  100%  =  .658%  based  on  .304  sec  of  CP  time. 

.  304 

Cost/ bit  =  ~  =  1.370  X  10"3% 

480 

Several  things  should  be  kept  in  mind  at  this  point.  When  Case 
I  is  less  expensive  than  Case  II  in  terms  of  processing  time.lt  is  less 
secure.  Secondly  for  a  100,000  word  file  in  a  60  bit  machine, overhead 
could  be  as  high  as  75%.  Core  requirements  for  the  periodic  key  tech¬ 
nique  <_re  minimal;  however, the  one-time  key  requires  twice  as  mush  core 
as  there  is  information  to  be  stored,  since  the  key  is  as  long  as  the 
message.  This  objection  can  be  minimized  by  using  the  key  for  many 
different  files  requiring  addition  storage  only  a?  great  as  the  largest 
expected  file.  It  is  also  possible  to  generate  this  key  externally 
loading  it  only  when  it  is  required . 

4 . 7  Evaluation  of  the  Viqnerian  Tableau  Method 

/ 

The  origin  of  this  scheme  is  attributed  to  Blaise  de  Vignere  and 
is  probably  the  most  famous  encryption  method  of  atl  time.  The  system 
goes  back  to  1585  when  Vignere  published  a  book  on  cryptography.  The 
method  was  forgotton  ,  revived  in  the  19th  Century  an  !  finally  buried  at 
the  turn  of  the  century.  The  system  is  breakable,  especially  if  the 
original  wotd  divisions  are  kept.  While  not  suitable  for  diplomatic 
and  military  purposes  it  is  a  reasonably  secure  system  and  lends  itself 
to  implementation  in  software.  A  similar  system.whlch  we  will  call  the 
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modulo  arithmetic  scheme, lends  itself  to  hardware  implementation  plus 
several  other  refinements. 

The  Vigner/tableau^s  it  is  called, is  a  polyalphabetic  system 
(two  or  more  cipher  alphabets  are  employed  in  some  prearranged  pattern). 
The  system  essentially  consists  of  an  alphabetic  table  in  which  the 
first  letter  of  successive  rows  have  been  shifted  end  around  one  letter 
from  the  previous.  Indeed.it  is  not  necessary  that  they  be  shifted 
Just  one  letter.  As  long  as  the  shift  relation  between  successive  rows 
Is  known  any  arrangement  is  suitable.  An  abbreviated  example  is 
given  below: 

A  B  C  D  E  F  G 

A  a  bcdefg 

B  b  cdefga 

Cc  defgab 

Dd  efgabc 

Ee  fgabcd 

Ff  gabcde 

G  g  abcdef 

Vigner/tableau 

To  encipher  a  message  with  the  tableau,  a  key  is  chosen,  say 
BAD.  The  message  to  be  encoded  will  be  CABBAGE.  A  normal  alphabet 
at  the  top  >8  used  for  the  plaintext* and  another  normal  alphabet  vertically 
is  used  for  the  key.  The  key  is  written  above  the  message  repeating  it 
as  much  as  is  necessary  to  cover  the  message.  The  intersecting  rows 


70 


and  columns  of  the  two  letters  in  the  tableau  represent  the  transposition. 

Example: 

Key:  B  A  D  B  A  D  B 

Plain:  CABBAGE 

Cipher:  d  a  e  c  a  c  e 

To  decipher, one  enters  from  the  side  with  the  lead  key  letter,  goes 
across  until  he  finds  the  letter,  and  then  up  until  he  reaches  the  normal 
alphabet  at  the  top.  The  scheme  can  be  improved  by  the  use  of  random 
keys,  one  time  keys,  variable  shifting  of  the  alphabet,  etc. 

The  program  written  to  evaluate  the  technique  uses  a  tableau 
based  around  CDC  6600  display  code  which  is  defined  conveniently  to 
expedite  processing  of  the  tableau.  Each  character  is  represented  by  an 
octal  number  from  1  octal  to  77  octal,  A  being  1  octal  B  being  2  octal,  etc. 
The  tableau  consists  of  a  63X63  matrix  of  3969  characters;  however,  it  is 
not  necessary  to  store  the  complete  matrix  as  not  all  of  it  Is  used  in  any 
given  message.  It  Is  only  necessary  to  generate  those  rows  starting  with 
the  key  letters  and  to  use  these  rows  to  encode  the  message.  This  outs 
down  on  the  core  memory  required  to  load  the  program.  The  Vignere' 
program  requires  more  core  than  the  Vemam  system,  as  a  transposition 
table  must  be  stored;  whereas,  only  a  mathematical  algorithm  Is  necessary 
in  the  Vemam  system. 


Time  studies  of  the  technique  show  an  eightfold  increase  in 


encode/decode  time  as  well  as  an  increase  in  central  processor  time. 
Exp .  Encode 

68  character  X  —  =  4080  bits 

character 

1  0  1  0  ©  A  P 

%  overhead  =  — ~~~  ----  X  100%  =  .255%  based  on  .392 
of  CP  ti  ne. 


Cost/bit  =  *=  6.25  X  10”^  % 


Decode 


13X10~^ 

%  overhead  =— m -  X  10C%  =•  3.32%  based  on  .392  sec 


.392 


of  CP  time . 


Cost/bit  °  jjjQQ*  -  8.12X10'4% 


Decoding  time  was  greater  than  encoding  time  for  the  message 
sample.  More  memory  was  used  in  this  program  than  was  necessary 
since  only  six  bits  of  sixty  were  used  in  each  word, as  each  character 
occupied  a  whole  word  instead  of  the  usual  ten  characters  per  word. 

This  facilitated  processing  by  cutting  down  the  time  required,  but 
Increased  memory  requirements  tenfold.  These  costs  may  not  necessarily 
be  representative  since  some  installations  charge  more  for  central  pro¬ 
cessing  time  than  they  do  for  extra  memory  during  execution.  Another 
interesting  point  is  that  white  average  encode/decode  time  is  greater  for  the 
Vlgnere'melhod, cost/bit  is  less. 
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C 

c 

• 

c 

r 

*  ENCRYPTION  BY  VJGNERJAN  TABLEAU 

c 

PROGRAM  CIPHER  (INPUT*  OUTPUT) 

00300? 

COMMON/1/  TAB  (64*64)*  KEY  ($4),  NX  (100>*  NY 

l.NZ(lOO) 

00000? 

INTEGER  TAB 

c 

REAO  NUMREH  OF  LETTERS  IN  KEY  AND  IN  MESSAGE 

00000? 

READ  10^*  NLTKEY*  NLTM$fl*NLTA0 

000014 

PRINT  100*  NLTKFY,  NLTMSG*  NLTAR 

c 

READ  KET 

000026 

REAO  101,  (KFY(T),  I  ■  1,  NLTKEY) 

\ 

c 

READ  MESSAGE 

|  000035 

READ  101.  ( NX ( 1 ) *  I  «1.  NLTMSG) 

, 

c 

ECHO  PRINT  KFY 

!  000064 

PRINT  10?.  ( KEY ( I ) ♦  I  a  1*  NLTKFV) 

! 

c 

PRINT  MESSAGE 

;  000053 

PRINT  104 

|  000067 

PRTNT  105.  ( NX ( T ) .  I  ■  1*  NLTMSG) 

I 

c 

CREATE  VIGNEPIAN  TARLEAU 

000066 

DO  10  U  *1*  NLTKEY 

000070 

ISTART  «  KEY ( J) 

000072 

Do  10  I  ■  1,  nltab 

00O101 

TAR(J.I)  ■  ISTART 

000)0? 

IP (ISTART. EQ. NLTAB)  ISTART  ■  0 

000103 

10  ISTART  a  TSTART  ♦  1 

000110 

PRINT  109 

000113 

PRTNT  103.  (  (TAR(J.I)  *1  «1*  NLTAR)*  J  ■  1.  All. 

c 

ENCODE  MESSAGE 

000133 

CALL  SECOND  (TIME) 

000135 

PRINT  104*  TIME 

000143 

00  ?0  I  al*  NLTMSG.  NLTKEY 

000145 

00  20  J  a  1,  NLTKEY 

00015? 

M  a  I  ♦  J  -  1 

000154 

IF (M.GT. NLTMSG)  GO  TO  30 

0001  '  .» 

K  a  NX  (M) 

000157 

NY(M)  «  TAB ( J*  KJ 

000163 

20  CONTINUE 

000*  67 

3 0  CONTINUE 

000167 

CALL  SECOND  (TIME) 

OOOlTl 

PRTNT  104*  TIME 

c 

P  NT  CIPHER  MESSAGE 

j  000177 

PRTNT  107 

|  C00?03 

PRINT  105*  (NYU),  I  a  ).  NLTM50) 

f 

c 

DECODE  CIPHER  MESSAGE 

f  000?12 

CALL  SECOND  (TIME) 

!  000? 14 

PRINT  104i  TIMF 

1  000??? 

DO  50  Nl  TMSG.mlTKEY 

!  *00?*4 

no  50  J«l.  NLTKEY 

000??5 

M  a  K  ♦  J  -  l 

0??7 

IF (M.GT. NLTMSG)  GO  TO  60 

f  <0?3? 

DO  40  I  «  X*  NLTAB 

000?33 

IP (TAB(J*I) «NE*NY(M) )  GO  TO  40 

000?40 

NZ(M)  »  ! 

i  000?41 

GO  TO  50 

1  &00?41 

40  CONTINUE 

(100) «  NLTKEY.NLTMS6 


5f)  CONTINUE 
*0  CONTINUE 

CALL  SECOND  (TIME) 

PRINT  104t  TIME 
PRINT  110 

PRINT  105*  (NZ(T).  I  «  1*  NITMSO) 

100  FORMAT  (12*13*13) 

101  format  (sown 

102  FqrMAT ( IX ♦  4HKFY  a  BA10*/) 

103  FORMAT  (IX,63R1,/) 

104  FORMAT ( IflX*  F5.3) 

105  FORMAT  (IX*  40R ?*/) 

106  FORMAT (1X**MFSSAGF  **/) 

107  FORMAT (lX»*CIPHFR  MESSAGE**/) 

109  FORMAT  (/*1X*  *VlGNFMlAN  TABLEAU**/) 

110  FORMAT  (IX*  *OECOOEO  MESSAGE*')/) 

FNO 


KEY  a  T  Y  P  E 

MESSAGE 

NOW  IS  THE  TIME  TOR  ALL  GOOD  MEN  TO  COME 

TO  THE  AlO  OF  THEIR  COUNTRY 

vignerian  tableau 

TUVWXYZ0123*56789*-*/()Sa  * .SCI S**VAt+<>S*tl ABC0EF6HI JWLMNOPoRS 

YZ01234S6789*-*/  ( )  Sa  ,  ,sf  ]  | **VA44<>Si«,|  ABCOEFGHI JKLMNORQRSTUVWX 

PO«STUV*XYZ0123456789*-*/  ( )  Sa  *  ,gt  J I «L*VA44oS2-*l  ABCDEFGHI  JKlmNO 

EFGHI  JKLMNOP8PSTUVWXYZOl234567B9a-*/  < )  la  *  ,51  ]  |  *#VAt*oSH  APCD 

2.070 
?.07l 
CIPHER  MESSAGE 

6*»(  1  H  X  (I  2  i  X  1  ♦  T  f  Y*6t  T90t  2  *  3  H  A  ♦  T  D  A  ■  3  l  V*l  I 
Aa3t*5TCT6S(?3SX02XVA03Y6a62 

2*078 

2.091 

DECODED  MESSAGE 

NOW  IS  THE  TIME  FOR  ALL  GOOD  MEN  TO  COME 

TO  THE  AID  OF  THEIR  COUNTRY 
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4 . 8  Modulo  Encryption 

The  Modulo  method  is  a  modification  of  the  Vignerian  method. 

The  basic  difference  is  that  no  table  is  generated  for  the  encryption 
decryption  cycle  ,  saving  some  core  memory.  However,  time  required 
for  encode/decode  is  greater.  The  scheme  lends  itself  more  to  hard¬ 
ware  implementation  rather  than  to  software  like  the  Vignere/ scheme.  A 
hardware  unit  could  probably  be  built  that  would  perform  the  function 
much  faster. 

The  theory  of  encryption  is  simply  to  add  the  value  of  the  display 
code  of  the  key  letter  and  the  text  to  yield  the  cipher  letter.  This  is  effec¬ 
tively  what  is  done  in  the  Vignere  technique  as  programmed  previously. 
Modulo 63  arithmetic  is  required,  since  there  are  63  display  code  charac¬ 
ters  in  the  CDC  6600.  Since  the  last  10-15  characters  in  display  code 
are  specialized  and  would  not  appear  in  most  texts.it  would  be  possible 
to  vary  the  modulus  by  10  -  15  without  losing  any  information.  This 
would  add  some  security  over  the  Vignere'  scheme  .  Another  arbitrary 
number  can  be  added  in  to  change  the  output  cipher.  This  number  can 
be  changed  arbitrarily  by  the  programmer  before  or  during  the  program 
adding  to  the  security  of  the  scheme .  Those  two  factors  make  it  more 
secure  than  the  Vignerian  scheme.  The  encode  functions  are: 

ISUM  1  =  NX(M)  +  KEY(I)  +  IFOOLU  -  1 

NY(M)  *  MOD(ISUMI,  63) 

Hers  IFOOLU  is  the  complicating  factor  that  may  be  introduced  by  the 
programmer.  To  decode  the  reverse  process  is: 
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I  SUM2  =  NY(M)  -  KEY(J)  -  IFOOLU+1 
50  IF  (ISUM2.LE.0)  ISUM2  =  ISUM?  +  63 
IF  (ISUM2  .LE.  0)  GO  to  50 
NZ(M)  =  MOD(ISUM2 ,  63) 


An  additional  check  is  required  to  check  to  see  if  ISUM  2 
is  negative.  If  so,  63  is  added  repeatedly  until  ISUM2  is  positive. 
This  accounts  for  the  increase  in  time  required  for  decoding. 

Timing  studies  for  the  modulo  method  reveal  the  following 
for  a  480  character,  28800  bit  message. 


Encode 


8X10  ° 

%  overhead  =  — rrr —  X  100%  =  1.94%  based  on 


.412 


.412  sec  CP  Time. 


1  Q4%  “5 

Cost/bit  =•  2880Q  =  6.75X10  % 


Decode 


1 8X  i  n 

%  overhead  X  100%  =  4.38% 

i  Hlc! 

Cosl/bU“iS'1-52X10',l% 


It  should  be  noted  that, in  the  Vignerian  method  and  the 
modulo  method  ,the  extra  memory  required  brought  the  overhead  per 
bit  down.  This  can  be  misleading;  for, as  this  program  is  written,  a 
full  60  bit  word  is  required  for  each  character  encoded.  Thus  there  is 
a  tradeoff  betwer  memory  and  time  as  brought  out  by  the  Modulo  program. 

The  word  packing  program  does  the  same  thing  as  the  Modulo  program  except  that  by 


word  packing,  memory  requirements  for  the  encoded  message  are  cut 
by  a  factor  of  ten.  However,  the  saving  in  memory  is  lost  by  a  sig¬ 
nificant  increase  in  encode  time  and  decode  time  required.  Overhead 

increased  from  1.94%  on  .412  sec.  of  CP  time  to  13.02%  on  .461  sec. 

-4  -2 

of  CP  time.  The  cost/bit  shot  from  1 .52X10  %  to  2.71X10  %.  This 
points  out  the  disadvantage  of  performing  encoding  and  decoding  in 


software . 


uuu  uu 


•ftftftftftftftftftftftftftftftftftftftftftftftftft^-ftttftftftftftftft# 

« 

*  MODULO  ENCRYPTION  * 

ft  • 


PROGRAM  cIPHFR  (INPUT#  OUTPUT) 

DIMENSION  KEY (20) «  NX(sOO)#  nY(500)*  mZ(500) 
C  READ  NUMPEH  OP  LETTERS  TN  KEY  AND  IN  MESSAGE 
REAO  10W.  NLTKEY#  NLTMSG.NLTAB 
C  REAO  KEY 

READ  10i«  (KEY(I)#  1*1#  NLTKEY) 

C  REAO  MESSAGE 

REAO  101#  (NX(I)f  I  >1#  NLTMSG) 

C  ECHO  PRINT  KFY 

PRINT  I02#  (KEY ( I ) #  I  ■  1#  NLTKPY) 

C  PRINT  MESSAGE 

PRINT  106 

PRINT  105#  (NX ( I ) *  I  ■  1#  NLTMSG) 

IFOOLU  ■  43 
C  ENCODE  MESSAGE 

CALL  SECOND  (TIME) 

PRINT  i04.  TIME 

00  10  I  *  1.  NLTMSG,  NLTKEY 

DO  10  J  ■  1#  NLTKEY 

M  a  I  ♦  J  -  1 

IF (M.GT. NLTMSG)  GO  TO  20 

ISUMl  «  NX (M)  ♦  KEV(J)  ♦  IFOOLU  -  1 

NY  (M)  «  MOOdSUMl,  NLTAM) 

10  CONTINUE 
20  CONTINUE 

CALL  SECOND  (TIME) 

PRINT  i04,  TIME 
PRINT  107 

PRINT  105*  (NY(I),  I  a  1#  NLTMSG) 

C  DECODE  CIPHER  MESSAGE 
CALL  SECOND  (TIME) 

PRINT  104*  TIME 
DO  30  K  a  1.  NLTMSG#  NLTKEY 
DO  30  J  a  1#  NLTKEY 
M«  K  ♦  J  .  1 

IF(M,GT»NLTMSG)  GO  TO  40 
iSUMg  a  NY(M)  •  KpY( J)  -  IFOOLU  ♦  l 
So  !P(1SUM2,LE,0>  TSUM?  a  ISUM*  ft  NLTAB 
IF(ISUM2.l6.0)  AO  TO  So 
N2(M)  ■  MOO ( I SUM?,  NLTAR) 

30  CONTINUE 
ao  continue 

call  SECOND  (TIME) 

PRINT  104#  TIME 
PRINT  110 

PRINT  10S*  (NZ(I),  I  a  1*  NLTMSG) 

100  FORMAT  (12*13*13) 

101  FORMAT  (A0H1) 

ioc  format (lx*  amkev  a  cora,/i 

10A  FORMAT U OX,  FS,3) 
los  format  li Xa  65R) •/) 

100  FORMAT (IX. •MESSAGE  ••/) 
iot  Format ux, ♦ciphfr  message*./) 


000327  lift  FORMAT  (IX*  *DECODED  MESSAGE**/! 

000327  END 

005800 

KEY  *  KITTY  hawk 

MESSAGE 

NAME |  JOHN  Q,  PUBLIC  AGE|  3?  INCOMFI  *500 

CREDIT  STATUS  I  GOOD-  REFUSED  TO  PAY  LATF  CHA 
RGES  ON  LOAN  FRQm  EASY-GO  A 

PPLIANCE  STORE  ON  2  JAN  1965  APRFST  RECORD! 

ARRESTED  -MINOR  IN  POSSESSION  1?  MAY  195? 

POLITICAL  PARTY!  REPUBLICAN  HEALTHf  FAIR-  CONTACTED 

INFECTITIOUS  HFPATITIOUS—  JULY  195?  COMMENTS!  N 

ONE 

2*044 
2*052 
CIPHER  MESSAGF 

86*b[FA«0<  (bslSSAyS  +  GOT  AP6*Y*8P6aatF5>T<  (6aa(  vPY«-DvNLTl.5Y8V00aaC 

F5Y,R84«B[FSY.886»»tF^2G4-«H«oxYGAtl(8<NNH^5>G>K0DC[«BYRv0GK  X?5,Jv 

H<OR  [  *A  YNF  vdaa  [  F5  V  ,  886»«  (  F  5Y  *  RR6aa  I F5  Y  *  8B6bb  t  FS  Y  .  B84QNOF  a«UO  1  <N«E 

/CaKvDwU»WbB2G8EB«1 ( 71 4,RZU4»[F5Y*R86«»CF5Y*88Ab«(F I >T< lH«QIflRlF ( 

8POOI1G5F81 AMMSl 5#P8FCMRISF#QORPl»OVLY32VV»»lF5Y*886B»f F5V*RP8«»1 

FC<N-.JSa  PFCaTJO*aOl/H  N-t*Ma(F<sCftJ>]aJY>fc/84eM5E0G5F«86aa(F5Y*8 

•6aa(F5YA886«atF>«H<4HHSM4H-t2<D  SMe><wIlZalY9lY3lvVaa«*  49DjS)aR 

•A5.888aalF&Y,886aafF5Y,8 

2*078 

2*094 

DECODED  MESSAGE 

NAME!  JOHN  G*  PUBLIC  AGE*  32  INCOMFI  6500 

CHEOIT  STATUS*  GOOD-  REFUSED  TO  PAY  LATF  CHA 
ROES  ON  LOAN  FROm  EASY-GO  A 

PPLIANCE  STORE  ON  2  JAN  )96S  ARRFST  RECORD I 

ARRESTEO  -MINOR  IN  POSSESSION  12  MAT  1957 
POLITICAL  PARTY*  REPUBLICAN  HfALTHi  FAIR-  CONTACTED 

INFECTITIOUS  HFPATITIOUS—  JULY  1957  COMMENTS*  N 
ONF 


n  n  o  r>  o 


* 

*  modulo  encryption  with  word  packing 

»  <> 

PROGRAM  MODULO  ( INPUT  ,01 ITPUT ) 

COMMON  /\/  KEY(20)«NX(50fl)*NY(SOO)  »N7  (SOO)  • 
1J*IE00LU*NW0PDS*NLTKEY.NLTAB, INDFX 
C  READ  NUMBER  OF  LETTERS  IN  KEY  AND  NtJMHFw  OF  WORDS  T ,v  MFSSAG) 

READ  100*  NLTKFY * NWORDS ♦ NL T  AR 
C  READ  KEY 

READ  101*  (KEY ( I )  »  I  =  1,  NLTKEY) 

C  READ  MESSAGE 

READ  102*  (NX ( I ) *  I  s  i,  NWORDS) 

C  PRINT  KEY 

PRINT  101*  (KEY ( I )  •  I  =  1*  NLTKFY) 

C  PRINT  MESSAGE 

PRINT  104 

PRINT  105*  (NX ( I )  .  I  a  1,  NWORDS) 

I FOOL U  =41 

MASK  *  77000000000000000000B 
C  ENCODE  MESSAGE 

CALL  SECOND  (TIMF) 

PRINT  104.  TIME 
INDFX  =  1 

DO  20  J  =  1*  NWORDS 
I HOLD  *  NX ( J) 

NY ( J)  =  0 
DO  10  I  *  1*  10 
ITEMP*  IHOLD.ANO.MASK 
ITEMP  a  L  SHI  FT  (ITEMP.4) 

CALL  ENCODE (ITEMP) 

NY ( J)  a  LSHIFT (NY ( J) .4) 

NY  ( J)  a  NYU).  DR.  ITEMP 
I HOLD  a  LSHIFT (IHOLD, 4) 

10  CONTINUE 
20  CONTINUE 

CALL  SECOND  (TIME) 

PRINT  104*  TIME 
PRINT  107 

PRINT  10S*  (NY ( I ) *  I  a  1,  NWORDS) 

C  DECOOE  CIPHER  MESSAGE 
CALL  SECOND  (TIME) 

PRINT  106*  TIME 
INDEX  *  1 

DO  60  J  ■  1*  NWORDS 
IHOLD  «  NYU) 

N2U)  a  0 
DO  10  I  a  1,  10 
ITEMP  a  IHOLD* AND .MASK 
ITEMP  a  LSHlET ( ITEMP, 6) 

CALL  DECOOE (ITEMP) 

N*(J)  «  LSHlET (N7 ( J) *4) 

NZU»  a  N7  U)  .OR*  ITEMP 
tHOLO  a  LSHlET I IHOL0.4) 

30  CONTINUE 
40  CONTINUE 

CALL  SECONO  (TIME) 


I  s  i.  nwoppsi 


100 

101 
10? 
inn 

104 

105 
10* 
107 
100 


PRINT  104,  TTMF- 
PRINT  1  OR 

POINT  lOS,  <M7  C I  >  • 

FORMAT (IP* 13* 13) 

FOWMAT<nn<?l  ) 

FOPMAT(«P10) 

FfipMATU?XtftHKFY  =  ?0P4./) 
FOPPAT(l?X,»M£SSAr,F*,/) 

FORMAT Il?X,«A10*/» 
F0RMATU?X.F'.,3) 

FOPMAT ( 1?X«*CIPHFP  MFSSAGf*./) 

F OPM AT ( 1 ?X ♦ *0F COPED  MFSSAOF*«/> 
ENP 


SUBROUTINE  FNCODFdTFMPJ 

common  /»/  key(?o>  *nx (snn>  .MYmno)  *N7(*noj . 
1  J.IFOOL'»%NWOROS«NlTKFY,NI  tab. jnpfa 
IF (INOFX.GT.NLTKFY)  TNPFv  =  j 
1STAPT  »  KFY ( INDEX ) 

ITF.MP  «  ITFMP  ♦  JSTAPT  ♦  TFOOUI  1 
ITEMP  *  MOOdTEMP,  NLTAR) 

INOFX  «  INDEX  ♦  1 

RFTURN 

END 


SUBROUTINE  OECODE < ITFMP) 

COMMON  /]/  KEY(20).NX(S00)#NY(SO0)*N7(qf)n>. 

1 J * I FOOLU ♦ NWOPOS *  NL  TKE Y  *  NL  T AB ,  I MOF  X 
IF ( INOFX.GT.NLTKEY)  index  S  ] 

ISTART  *  KEY ( INDEX ) 

ITFMP  a  ITEMP  -  ISTART  -  IFOOLIJ  ♦  1 
50  IF(ITEMP.LF.O)  ITFMPalTPMP  ♦  Nl  TAh 
IF(ITEMO.LE.O)  60  TO  GO 
ITEMP  *  MOOdTEMP,  Nl  TAR) 

INOFX  *  INDEX  ♦  1 

RETURN 

END 

KEY  *  KITTY  HAWK 

MESSAGF 

NOW  IS  THE  TIME  FOR  ALL  GOOD  MEN  TO  COMF  TO  THE  a  in  OF  coma  TRY. 

2.43? 

2.438 

CIPHER  MFSSAGF 

DCVsMSS  J<RHHL  IF  t<TRv  K»K*R.  .C<B*SSF.»<n<PwMaXSAYC  J  *h\>P  I  :<:KHBvMT^)f  f  t-t  < 
s|Fcv.  - 

*•441 

2.44B 

DECODED  MESSAGE 

NOW  IS  THE  TIME  FOR  ALL  GOOD  MFN  TO  COME  TO  TMF  •»•)  of  r^Hu  COiiktov, 


UNIVERSITY  OF  TFXAS  6600  l»T  ] 

UDTE249.  200TE  READ. 

UBTE249.  MODULO* • 7*47000* 17. PHAU0007*GARRTSOV. 
U8TE249.  RUN(SX) 

UBTE249.  CTIME  000*9?3  SFC.  RUN  I  EVFL  40* 
UBTE249.  LOO. 

U8TE249,  LOADER  UNUSED  STORAGE  032030, 
UBTE249.  END  -  MOOULO 
UBTE249.  CR  000.461  SEC. 

UBTC249.  RR  003*17}  SEC. 

U8TE249.  TM  002*673  SEC. 


3  (OCTAL) 
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4.9  Other  Techniques  to  Insure  Static  Protection 

In  addition  to  cryptographic  methods  there  are  other  techniques 
possible.  It  would  be  possible  to  store  supervisory  assigned  tags  in 
each  data  word  or  block.  If  accessed,  this  tags  alert  the  computer  of  an 
illegal  jump  into  a  page  or  block  of  memory.  Normally  all  accesses  to 
the  memory  space  must  be  made  through  an  entry  point.  If  anyone  jumps 
into  the  memory  space  in  an  execution  mode  and  avoids  the  normal  entry 
point,  he  will  be  detected.  One  possible  way  to  Implement  this  is  to  load 
a  header  word  on  each  page  with  a  supervisory  assigned  tag,  which  serves 
as  the  entry  point.  The  header  word  then  arms  the  sentinal  word  with  the 
value  of  the  tag  given  it  by  tho  supervisor.  The  sentinel  words  are 
placed  at  various  points  in  the  page.  Upon  reaching  one  of  the  sentinel 
or  check  points  the  supervisor  would  request  that  the  user  identify  himself. 
If  the  user's  supervisory  assigned  tag  does  not  agree,  he  would  be  put 
into  a  loop  or  some  delaying  routine,  until  he  could  be  traced,  or  his 
accesses  would  be  aborted.  This  technique  provides  protection  against 
parties  entering  an  unauthorised  data  or  command  space  without  going 
through  the  proper  entry  points .  Encryption  does  not  protect  against 
illegal  entry  but  attempts  to  render  useless,  information  so  obtained. 


Sentinel  Technique: 


47 


23 


Header  Word  User  2's 
normal  entry  point  for 
this  block  or  page 


If  user  attempts  entry  here 
he  will  be  detected  upon 
reaching  sentinel 


User  2's  Tag 
Userl’s  Tag 


Another  possibility.less  wasteful  of  bits,  is  to  allow  the 
user  to  assign  the  parity  scheme  to  be  used  within  each  data  word 
within  his  file.  Thus,  anyone  using  the  program  who  does  not  know 
the  scheme  will  be  detected  os  a  non-user  since  parity  errors  will 
result.  To  demonstrate  the  point  consider  a  48  bit  data  word  o i 
six  8-bit  bytes.  Attached  to  each  byte  is  an  extra  bit  or  parity  bit. 

This  bit  Is  always  such  that  the  number  of  i‘s  is  either  odd  or  even  in 
each  byte.  Thus. including  bits, there  are  $4  bits  in  each  data  word.  If 
an  even  parity  check  is  used  fo*  the  word, the  scheme  would  require  that 
all  six  bytes  be  even  parity.  It  would  thus  be  possible  to  specify  the 
parity  scheme  within  each  word.  This  parity  scheme  for  each  word  could 
be  varied  from  program  to  program.  This  parity  scheme  could  be  specified 


by  a  file  owner  in  advance  and  thus  would  be  unknown  to  anyone  else. 
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This  scheme  could  be  very  easily  implemented  and  would  not 
require  any  special  equipment.. 

Parity  bit  scheme  withir  a  word: 


000111 


000000 


111111 


111000 


000111 


Parity  bits 


7" . 7 . 7  7  S'— 7 


010101 


Address  Permutation  Within  a  Page: 

This  method  extends  the  virtual  address  scheme  described  earlier 
to  permutation  of  addresses  within  a  page.  This  scheme  thus  scrambles 
addresses  within  a  page  so  as  to  make  sequential  execution  or  copying 
meaningless.  The  rcrambler  could  operate  effectively  without  the  user's 
knowledge, requiring  only  that  the  unscrambling  be  effected  when  the 
proper  user  is  using  the  file.  This  requires  storing  the  transformation  key 
for  quick  access. 

Inter-Page  Address  Permutation 


Virtual 

Address 

Space 


Paging 

By 

Machine 


Audrcss 
Permutation 
Within  a  Page 


I 


Exp:  Address  Permutation  Key:  4231 
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Bit  Permutation  Within  A  Word 

Bit  permutation  is  similar  to  the  Vernam  system  except  we  do 
not  perform  a  complementative  transformation  but,  rather  rearrange 
bits  within  a  word  according  to  some  prearranged  key.  The  example 
shows  how  this  might  appear. 

123456789  Data  word  for  manipulation 

369742185  Word  in  Storage 

[Key:  (3,6  9  7  4  2  1  8  5)] 


The  permutation  technique  is  best  performed  at  the  bit  level, 
rather  than  at  the  character  level  or  byte  level, since  it  would  be  easy 
to  unscramble  characters  making  up  a  common  occuring  instruction. 
Consider  the  permutation  A  X  C  1  which  wo  uld  be  recognizable  as 
C  L  AX.  At  the  bit  level  this  situation  would  not  be  so  obvious. 
When  the  Vernam  technique  is  combined  with  permutations  of  bits, 
the  possible  combinations  get  large  quickly. 

Consider  N  words  per  page  (N  =  210) 

No.  of  possible  permutations  ■  (n!) 

* 

No.  of  possible  complementations, 
in  a  word 


> 


Of  course,  associated  with  this  technique  are  the  needs  for  simple  permu 
tatlon  and  depermutation  algorithms  and  a  simple  method  for  permuting 
2^  numbers. 


COMPARISON  OF  TECHNIQUES 


PART  V 


EXPLANATION  O?  COMPONENTS  AND  DATA  FLOW  OF  A  SECURE  DATA  BANK 

5.1  Privacy  Recognizer  and  Classifier 

The  operation  of  this  phase  depends  upon  the  policy  established 
for  system  operations.  These  policies  would  be  highly  organized  and 
closely  regulated.  Data  normally  comes  into  the  system  through  a 
recognizer  and  classifier,  (Figure  10)  where  it  is  determined  if  information 
is  of  a  sensitive  nature.  If  not  sensitive,  it  is  sent  to  the  access  control 
portion  of  the  system  for  storage.  If  it  is  sensitive,  check  is  made  to  allow 
them  to  determine  for  themselves  if  the  information  is  valid  and  if  it  can 
be  used.  Meanwhile,  the  data  in  question  is  stored  very  securely.  If 
storage  permission  is  obtained,  a  security  classification  is  suggested,  and 
the  information  is  retrieved  for  classification  and  then  submitted  to  the 
system.  If  permission  to  store  the  data  is  denied  the  information  in  equestion 
is  purged  from  all  files.  This  i.i  verified  by  a  search  made  through  the 
system  for  all  copies  of  the  data,  which  include  those  stored  in  the  backup 
files,  change  files,  etc.  All  copies  are  deleted  and  the  indiv^  is 
notified. 

5.2  Access  Control  and  Management 

This  unit  is  responsible  for  implementing  the  access  control  and 
file  manipulation  restrictions  outlined  in  the  section  on  protection  mechanisms. 
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Figure  10  -  INFORMATION  CLASSIFICATION  PHASE 
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A  logical  choice  of  what  access  control  capabilities  a  data  bank  would 
require  would  be  implemented  and  inserted  at  this  point. 

5.3  The  Processor 

The  processor  functions  in  a  physically  secure  environment 
so  as  to  insure  its  Integrity  for  execution.  The  processor  also  Initiates 
action  by  the  encoder. 

5.4  The  Encoder 

The  encoder  pe 'forms  some  logical  transformation  on  the  data 
before  it  is  stored  in  the  file.  The  topic  of  privacy  transformation  and 
encryption  was  discussed  previously. 

5.5  Communications  Loop 

The  communications  loop  represents  a  portion  of  the  system  that 
would  be  required  if  the  processor  and  mass  storage  file  are  physically 
separated.  If  they  are  in  the  same  room, the  loop  is  obviously  not  re¬ 
quired.  The  encoder  is  still  desirable  to  provide  protection  if  access 
management  and  file  restrictions  fall  to  protect  the  data.  Input  and  output 
validation  requires  certification  of  input  and  output  data  streams .  This  Implies 
rechecklng  authorisation  by  use  of  an  alternate  communications  line  or 
by  retransmission  on  an  alternate  loop. 

5.6  File  Processor  and  **  laoement  Routine. 

File  processor  and  management  routines  are  visualised  as  merely 
cataloging  and  filing  routines.  These  routines  manage  use  of  storage 


space  and  fetch  and  store  encrypted  records.  The  file  processor  functions 
independently  of  the  main  processor.  The  main  processor  addresses 
the  file  processor  and  cannot  bypass  it  to  fetch  records.  Th~  file  pro¬ 
cessor  is  charged  with  file  storage  management  and  protection  or  pro¬ 
tection  of  static  storage.  This  storage  protection  is  largely  concerned 
with  protecting  the  files  from  security  violations  and  system  failure.  In 
the  case  of  a  delete  or  change  request  this  system  insures  that  all  copies 
of  record  regardless  of  the  file  are  changed  or  destroyed.  Depending 
upon  the  value  of  the  stored  data  .the  data  may  be  given  several  types  of 
protection.  Possible  options  on  the  storage  schemes  would  be 

1 .  No  protection 

2.  Main  File,  Backup  file 

3.  Main  File,  Backup  file,  and  change 

file  for  recording  changes  during  transactions . 

4.  Encrypted  File 

5.  Encrypted  File  and  options, 3 

If  all  the  Information  is  not  criticahthen  we  may  not  require 
protection  at  ati.  If  it  is  lost, it  can  easily  be  replaced  at  a  later  time. 

The  protection  level  can  be  increased  by  providing  backups  and  a  change 
file  capability  so  that  insurance  against  physical  destruction  of  a  file 
is  available .  The  encrypted  file  and  combination  of  encryption ,  backup  and 


change  file  offer  the  highest  level  of  protection  but  require  extensive 
overhead. 

5.7  Decoder 

The  decoder  performs  the  reverse  transformation  on  data  enabling 
the  processor  to  operate  on  the  data  fetched  from  storage.  The  inverse 
of  the  key  used  to  encode  the  data  is  used  to  decode  the  data. 

5.8  System  Monitor 

All  flow  of  data  through  the  system  is  monitored  by  the  various 
monitoring  functions  indicated.  Activities  of  the  access  control,  pro¬ 
cessor,  encoder-decoder,  communications  loop  and  file  are  monitored 
whenever  data  is  being  moved  within  the  system. 


PART  6 


CURRENT  STATUS  OF  SECURITY  ORIENTED  SYSTEMS 

Several  systems  have  been  designed  to  increase  security  of 
stored  data.  Multics,  RUSH,  Cambridge,  ADEPT-50  and  the  BCC 
Model  I  are  all  working  systems.  While  these  systems  or  any  system 
is  not  the  ultimate, they  represent  a  significant  attempt  toward  imple¬ 
mentation  of  a  protected  system.  The  Cambridge  University  File,  RUSH, 
BCC  Model  I  and  the  Adept-50  are  described  as  they  represent  interesting 
approaches  to  system  organization.  The  basic  concept  behind  the  Multics 
system  is  discussed  and  commented  upon. 

6.1  Cambridge  University  File  Protection  System 

This  system  is  based  around  a  Titan  computer.  Ansocia'ed 
with  each  file  is  a  privacy  arrangement.  File  activities  a»e  divided 
into  two  classes: 

Class  I:  This  class  permits  execution,  read, 
delete,  update,  and  change  of  sta  us  of  a  file. 

Class  II:  This  class  permits  several  activities 
of  which  two  are  file  creation,  modification,  or 
deletion  of  a  privacy  arrangement. 

Class  I  activities  are  represented  by  a  4x5  matrix  of  1  bit  elements. 

The  activity  is  represented  by  the  "ith"  column  of  the  array  and  con¬ 
tains  a  1  If  that  activity  is  permitted,  otherwise.  It  is  zero.  Each 
row  corresponds  to  a  category  of  users,  Categoty  1  is  file  owner  and 
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category  4  is  used  in  connection  with  "public  files."  Whenever  a  file 
is  created  the  user  declares  activities  permitted  for  each  file  category 
by  entering  four  alphanumeric  characters . 

Example: 

F  R  N  N  Where: 

F  =  free  access  to  all  category  1  users 
R  =  read  and  execute  permitted  by  all  category  2  users 
N  **  no  access  permitted 
The  matrix  associated  with  this  arrangement  is: 


a 

b  c  d  e 

Category  1 

1 

1111 

a  =  Execute 

Category  2 

1 

10  0  0 

b  **  Read 

Category  3 

0 

0  0  0  0 

c  »  Update 

Category  4 

0 

0  0  0  0 

d  »  Change  of  Status 

Nonowners  may  use  other  files  if  arrangements  have  been  made 
with  the  owner.  This  comes  under  category  2  manipulations.  Additional 
identification  is  required  by  the  system  in  this  mode  and  the  password 
used  must  satisfy  some  requirement  set  by  the  owner  of  the  file  to  be 
accessed. 

The  advantage  of  this  scheme  is  that  it  allows  a  very  precise 
and  understandable  device  for  setting  up  the  access  profiles  for  all 
users.  The  matrix  can  he  examined  onoe/ind  those  files, where  no  access 
restrictions  are  imposed, can  be  allowed  maximum  freedom,thus  reducing 
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the  necessity  of  validating  an  access  everytime.  Whenever  a  restricted 
file  is  accessed, it  may  be  easily  authenticated.  The  matrices  needed 
are  small  and  can  be  easily  stored. 

The  primary  disadvantage  of  ..his  approach  is  that  it  is  dependent 
on  the  integrity  of  the  underlying  software,  admittedly  not  a  unique 
problem.  While  the  Cambridge  system  gives  the  user  assistance  in  setting  up  his  files , 
it  is  only  as  good  as  the  protection  structures  used  at  the  file  level. 

6.2  .Dynamic  Protection  Structures  and  the  Berkeley  Computer  Corn.  Model  I 

The  capability  list  scheme  can  be  extended  beyond  that  described 
by  Dennis  and  Van  Horn  and  is  so  discussed  by  I.ampson  [9],  Three 
fundamental  ideas  are  essential  to  this  approach. 

1.  Objects  are  given  unique  unalterable  names  called 
Capabilities.  The  possession  of  a  capability  is 
considered  the  right  to  access  ie  object  of  that 
capability. 

2.  Capabilities  are  grouped  into  objects  called  domains . 

Whenever  control  passes  from  one  domain  to  another, 
capabilities  change. 

3.  Within  each  domain  are  special  capabilities  called 
access  keys.  These  keys  are  the  authorisation  to  the 
domain  to  grant  capabilities  within  itself.  Each  domain 
thus  maintains  Us  own  access  keys  and  identification. 


This  scheme  allows  relative  freedom  in  writing  programs  and 
debugging.  It  insures  that  elaborate  pre- arrangements  are  not 
necessary  for  integrating  programs.  Additionally  it  maintains  a  degree 
of  flexibility  in  implementation  so  that  modifications  can  be  made  at 
a  later  date. 

The  capabilities  mentioned  can  be  any  word  protected  by  the 
supervisor  or  tagged.  That  word  must  not  be  alterable  by  anyone 
except  the  supervisor.  A  program  running  in  a  domain  refers  to  a 
capability  by  using  an  unprotected  name.  A  check  is  made  to  authen¬ 
ticate  the  name  of  the  capability  to  see  if  it  is  contained  within  the 
domain. 


Capability: 


Tag 


Type 


Value 


Tag  =  read  only,  except  to  supervisor 
Type  =  File 

Value  =  disk  address  of  Index 

These  are  capabilities  for  various  objects  in  the  system  such 
as  files,  pages,  processes,  domains,  interrupts,  terminals,  and  access 


keys. 

Arrangement  of  memory  Is  closely  related  to  the  nature  of  the 
domain.  If  the  mapping  hardware  is  viewed  as  part  of  the  capability 
schome,  accessing  segments  through  capabilities  implies  that  a  domain 


is  just  a  collection  of  capabilities. 
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Generally  the  hardware  in  the  system  does  not  allow  direct 
addressing  of  address  spaces  between  domains.  To  circumvent  this 
problem  either  a  complex  communication  routine  must  be  built  in  or  the 
hardware  must  be  orgainzed  so  that  the  address  space  of  one  domain 
is  a  subset  of  another.  This  restricts  versatility  but,  the  ring  like 
structure  is  often  satisfactory. 

The  problems  of  domains  and  processes  also  depend  on  the 
system.  The  capabilities  in  the  domain  are  used  to  control  processes. 

Thus,  processes  can  be  restricted  to  running  in  specified  domains. 

Calls  and  transfers  of  control  are  handled  by  the  use  of  gates  which 
can  be  passed  as  a  capability.  Gates  are  used  to  control  entry  points 
with  entry  usually  allowed  only  at  one  point.  A  call  stack  is  used  to 
insure  that  control  is  returned  to  the  proper  point.  Interrupts  and  traps 
can  cause  a  transfer  between  domains  when  there  is  a  need  to  force 
an  action  on  the  system. 

The  use  of  capabilities  and  domains  provides  a  basic  frame¬ 
work  in  which  program  protection  can  be  achieved  and  security  realized. 
However,  there  are  complications.  If  the  structure  is  a  ringed  one, 
the  problems  are  easily  handled  since  it  is  assumed  that  any  access  to 
an  inner  ring  is  generated  by  the  proper  calling  program.  In  the  case 
of  a  complicated  overlapping  structure  of  domains, however, where  all  the  domains 
not  subsets  of  others, then  additional  information  hrs  to  be  kept  as  to 
the  source  and  destination  of  every  call.  Checks  have  to  be  made  when- 
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ever  an  attempt  to  access  a  file  is  made  as  to  whether  the  call  came 
from  a  legitimate  source. 

6.3  The  RUSH  Time  Sharing  System 

The  privacy  measures  in  the  RUSH  time-sharing  system  (Remote 
users  of  shared  hardware)  utilizes  80  modules  of  processors  operating  in 
a  time  sharing  mode  on  an  IBM  360  model  50.  A  monitoring  executive 
controls  60  remote  terminal  users.  The  programs  are  stored  in 
2,097,152  bytes  directly  addressable.  Rush  coexists  with  the  360 
option  2  (multi-programming  fixed  tasks)  and  uses  IBM's  file  manage¬ 
ment  schemes. 

The  user  of  RUSH  converses  with  an  IBM  2741  Selectric  or  a 
Teletype  Mod  28,  32,  33,  35,  or  37.  Rush  is  business  or  scientific- 
The  only  conversational  language  offered  is  a  problem  oriented 
version  of  of  PI.l.  Software  protection  is  provided  for  the  RUSH  monitor 
since  IBM  has  none.  The  principle  devices  used  are: 

I.  A.  Blocking  user  sign-on,  LOGIN  contains  three  levels 
of  protection. 

1 .  Master  Account  Identification 

2.  Sub  account 

3.  Protection  key  on  (2) 

B.  A  second  try  at  a  valid  master  account  causes  a  disconnect 

If  the  protection  key,  after  it  is  entered,  is  improper,  a  disconnect 


will  result. 
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II.  Protecting  User  Program  and  Data  Files 

A.  Object  of  a  LOAD/SAVE  statement  is  1  or  2 

parameters.  (Name,  Key) 

1 .  User  supplies  the  name  of  the  file  and 
may  optionally  add  a  key. 

2 .  First  four  characters  of  the  Key  are  for 
"read  only"  requests,  and  a  full  six 
characters  are  required  in  order  to 
write  over  the  name  on  the  disk. 

3.  LOAD/SAVE  area  is  under  master  account 
name.  This  area  cannot  be  executed  in 
a  loop,  and  it  is  difficult  to  figure  out 
the  key  by  trial . 

III.  The  remote  job  entry  mode  (RJE)  allows  building  a  job  stream  in 
a  sepa^te  partition  oi  memory.  The  customer's  identification  and  file 
name  must  agree  with  his  master  account  in  the  LOGIN  statement.  The 
user  cannot  read  or  write  on  files  other  than  his  own. 

The  RUSH  uses  full  system  360  memory  protection  features.  Memory 
can  be  protected  in  blocks.  Only  legal  blocks  for  a  particular  active  user 
can  be  processed  by  the  executive.  Furthermore,  the  executive  is  operated 
under  a  key  that  disallows  all  "store  commands"  within  itself;  thus  it  cannot 


destroy  itself. 
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IV.  There  is  no  protection  in  the  RUSH  system  against  hard¬ 
ware  penetration  such  as  wiretaps.  Attempted  hardware  penetrations 
are  logged  after  forcing  a  disconnect.  A  call  back  system  is  avail¬ 
able,  whereby  a  user  may  invalidate  an  attempted  access.  The  system 
is  fully  interpretative  and  snooping  can  be  analyzed.  Typewriters  with 
no  printout  and  change  of  account  numbers  on  a  rotating  basis  help 
insure  greater  security. 

The  security  procedures  in  the  MULTICS  SYSTEM  are  basically 
divided  into  two  areas  (1)  Compartmentalization  -  which  is  the  idea 
of  separating  various  activities  of  the  supervisor  to  minimize  abuse  of 
each  one.  (2)  Auditability  -  that  is  to  say,  high  level  trace  and  analysis 
routines, which  are  used  to  spot  unauthorized  terminals  and  to  verify 
that  the  terminal  supposedly  running  is, in  fact, the  one  that  was 
originally  authorized. 

6.4  Adept-50  Time  Sharing  System 

The  Adept-50  Time  Sharing  System  uses  software  for  implementing 
its  security  wall.  In  this  system,  four  security  objects  are  used,  the 
user,  terminal,  file,  and  the  job.  Each  group  of  objects  are  identified 
and  are  further  enhanced  by  a  security  profile  triplet,  Authority,  Franchise, 
(Need  to  Know)  and  Category  (e.g. ,  Eyes  Only,  Crypto). 

Whenever  a  user  successfully  logs  in* his  security  profile  is 
retrieved  and  dynamically  derived  for  the  user  as  a  function  of  his  job 
and  the  terminal.  These  profiles  act  as  keys  for  using  Adept- Files. 


Through  the  use  of  Create  .command. the  file  owner  can 
establish  authorizations  to  access  and  the  type  of  access  permitted 
for  his  users.  A  Change  command  permits  modification  of  properties. 

The  advantages  of  this  system  lie  in  the  tact  that  it  is  based 
on  a  well  formed  model  of  a  realistic  security  structure.  It  enables  a 
file  owner  to  establish  a  security  profile  for  the  users  of  his  files . 

The  system  also  has  the  capability  of  remembering  the  security  history 
of  previously  created  files.  The  system  is  flexible  and  easily  applied. 

The  primary  disadvantages .  as  noted  by  the  designer. is  in  the 
amount  of  critical  coding, the  dispersal  of  programs, and  data  in  memory 
which  degrade  confidence  in  the  system.  The  system  also  needs  more 
security  compartments  or  classifications  and  error  detection  of  security 
profile  data  to  increase  user  confidence.  A  primary  disadvantage  of 
this  system  and  most  security  systems  is  that  they  are  all  based  around 
computers  which  are  not  security  orientated  at  all  levels.  As  such  most 
of  the  protection  is  based  in  software,  which  makes  it  highly  operator 
dependent.  The  best  solution, it  would  seem, would  be  to  provide  the 
security  at  the  hardware  level  with  complimentary  software  used  to 
supervise  the  overall  system. 

If  one  is  forced  to  choose  any  of  the  schemes  as  preferable. the 
capability  list  approach  is  probably  superior  to  the  ringed  structure  as 
implemented  in  Multics.  The  capability  scheme  allows  distribution  of 
control  and  cost  throughout  the  files.  The  ringed  structure  can  quickly 
become  expensive.  Consider  the  structure  on  the  following  page. 


MULTICS  RINGED  STRUCTURE: 


Data: 

(As  requested 
by  File  1  or 
File  2) 


Control: 
(Requested  for 
data  from  File  3) 


1  (Process  1) 


2  (Process  2) 

3  (Data) 


In  the  ringed  structure  .data  flows  inward  from  file  3  to  file  l; 
but  data  cannot  flow  the  other  way.  In  many  cases,lt  would  be  possible 
to  ruin  a  file  by  passing  bad  data  to  an  inner  ring  necessitating  the 
keeping  of  backup  files  in  case  correction  is  needed.  Validation  of 
data  may  be  required  before  data  is  accepted.  As  long  as  we  stay  within 
a  ring  there  are  no  problems.  As  indicated. control  passes  from  the  inner 
ring  to  the  outer  rings  necessitating  validation  of  control  each  time  an 
inner  file  requests  data  from  an  outer  file.  If  there  are  many  rings,  the 
system  quickly  deteriorates  in  efficiency. 

In  any  system  which  attaches  authority  items  to  each  file  such 
as  the  capability  list.  There  is  the  problem  of  duplication  of  pertinent  authority, 
items  for  protected  fields  in  one  file.  Consider  J  users,  K  private  fields, 
in  each  of  L  files,  and  if  each  user  has  access  to  the  files  of  S  users. 
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then  SxKxL  entries  are  to  be  made  in  each  authority  item  for  the  protection 
of  the  user.  If  there  are  I  users ,  then  there  are  T  =  JxSxKxL  entries  to  be 
maintained .  If  J  =  200  ,K=4,L=2,S  =  10  then  F  =  16 , 000 .  Considering 
storage  used  per  entry,  storage  and  maintenance  may  be  too  high.  As  J 
approaches  J-l  the  system  becomes  inefficient  for  it  is  maintaining  large 
lists  of  unauthorized  users.  Thus,  it  will  be  necessary  to  periodically 
purge  the  system  of  inactive  users  placing  them  on  some  type  of  inactive 
capability  list. 

6.5  Locating  the  Security  Wall 

There  are  problems  associated  with  deciding  where  to  build  the 
security  wall .  By  security  wall  we  mean  the  point  at  which  primary 
system  security  is  implemented.  There  are  two  points  where  the  problem 
can  be  tackled:  (1)  at  the  access  managements  level,  where  most  efforts 
are  usually  directed  and  (2)  at  the  data  base.  If  we  make  a  system 
impregnable,  there  are  overhead  and  customer  convenience  problems. 
Alternately,  we  may  desire  to  have  a  very  open  system  with  easy  access 
and  low  level  trace  and  suditobility.  Yet  if  we  desire  an  open  syste,  and 
we  must  still  provide  security  since  we  must  insure  that  any  accidental 
or  deliberate  access  of  material  dot  s  not  compromise  a  file.  This  leads 
us  to  the  possibility  of  encoding  the  data  base.  Figure  (11)  shows  the 
four  possible  situations  involved  in  planning  a  system.  The  horizontal 
axis  represents  a  security  capability  at  the  data  base  while  the  vertical 
axis  represents  increasing  diligence  of  access  authentication  and  increasing 
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process  restrictions.  As  to  which  quadrant  a  system  is  to  operate  in 
depends  upon  the  environment  and  to  a  large  extent  on  cost  and  use 
of  the  system.  A  dedicated  military  system  operating  in  a  potentially 
hostile  environment  would  be  best  operated  in  the  first  quadrant. 


Data  Bose  Security  Level 


Figure  1 1 
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It  is  not  hard  to  visualize  cases  where  second  or  fourth 
quadrant  systems  might  be  practical.  Realistically  speaking  most 
systems  operate  in  the  second  or  third  quadrant  for  reasons  of  cost . 
Significantly,  an  encrypted  data  base  is  novel  and  somewhat 
Impractical  for  a  large  class  of  circumstances.  It  is  certainly  con¬ 
ceivable  that  a  system  might  operate  on  the  axis  or  combine  all  ideas 
in  greater  or  lesser  degrees. 


PART  7 


FUTURE  WORK 

The  future  of  the  data  bank  l»es  in  designing  a  system  with 
adequate  protection  yet  not  so  complex  or  expensive  as  to 
discourage  its  use.  The  easiest  way  to  kill  an  idea  is  to  implement 
it  in  a  way  as  to  make  it  too  troublesome  for  the  majority  to  use.  The  Vhy 
bother  attitude ‘Is  the  major  bottleneck.  The  development  of  new  schemes 
for  access  control  and  file  management  are  thus  indicated. 

Additionally  there  is  room  for  improvement  in  the  technique  used 
to  protect  memory  in  many  computers  especially  the  large  time  sharing 
machines  as  these  will  be  part  of  any  data  bank  or  computer  utility.  The 
paging  computer  using  a  virtual  addressing  scheme  offers  an  excellent 
opportunity  for  improving  the  security  of  the  memory  itself. 

7 •  1  Directed  Graph  Organization 

One  technique  worthy  of  study  from  a  cost  efficiency  standpoint 
is  the  organization  of  a  system  by  the  representation  of  files  and  processes 
as  nodes  of  a  directed  graph.  If  this  were  done  it  would  be  possible  to 
maintain  a  connectivity  matrix  LC]  specifying  the  accesses  permitted 
stalling  at  a  given  entry  point.  In  a  connectivity  matrix  the  presence 
of  a  one  in  the  intersection  of  any  row  and  column  implies  a  path  exists 
from  a  source  the*  number  of  the  row)  to  a  destination  (the  number  of  the 
cotumn).  A  zero  implies  no  path.  Thus  there  is  an  implied  direction  in 
the  directed  graph  and  ;l  c  matrix: 
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Connectivity  [C]  matrix: 

12  3  4 
10  10  1 
2  0  0  1  0 

3  0  0  0  1 

4  0  0  0  0 

Whenever  a  file  is  added  the  connectivity  matrix  is  updated 
to  reflect  the  new  connection.  More  useful  is  the  Reachability  matrix 
(R-matrix)  derivable  from  the  C  matrix.  This  gives  thr  files  that  could 
be  reached  from  any  one  point  assuming  no  restrictions  within  the  files. 
For  example  the  R-matrix  reveals  what  is  obvious  from  the  graph,  that 
file  one  can  reach  any  file  while  file  foyrean  reach  none  .  The  fact  that 

12  3  4 
11111 
2  0  0  1  1 

3  0  0  0  1 

4  0  0  0  0 
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£  file  cannot  reach  itself  impti.es  no  loops.  It  is  also  worthwhile  to  note 
that,  if  we  remove  path  1  -  4  changing  the  C  -  matrix,  the  R  -  matrix  does 
not  change.  Reachability  studies  car.  reveal  much  about  the  nature  of  the 
file  structure. 

This  sort  of  top  down  organization  is  not  practical  in  most  cases 
due  to  its  lack  of  flexibility.  However,  if  the  files  are  static  in  number 
and  are  not  subject  to  frequent  reorganization,  this  approach  might  be 
practical .  This  end  wou’d  be  aided  by  the  acceptance  and  creation  of  the 
so  called  data  descriptive  languages,  which  would  attempt  to  standardize 
internal  lepresentatiori  of  stored  data. 

7 . 2  Conclusions 

The  role  of  the  designers  in  planning  a  public  data  bank  will  be 
to  develop  the  techniques  necessary  to  insure  that  privacy  does  not  become 
impractical  or  too  costly.  The  right  to  privacy  is  "sacred"  and  it  would 
be  a  shame  to  see  it  forsaken  just  for  the  sake  of  simplifying  the  design 
of  a  data  bank. 

In  apprasiny  the  effect  that  la*ge  data  banks  will  have  upon 
society  one  must  first  consider  what  direction  the  managerial  policies  of 
the  bank  will  take.  If  the  policy  makers  are  allowed  to  go  unchecked 
without  thorough  and  carefully  formulated  guidelines,  the  public  will  suffer 
unwarranted  intrusion  into  its  affairs  by  public  and  private  agencies  with 
disastrous  consequences. 


nr,  -ttftiihffla, 


109 


Recognizing  the  problem  is  unfortunately,  only  the  beginning.  The 
nature  of  the  threat  and  the  most  effective  countermeasure  must  be  set 
forth.  The  countermeasures  one  employs  in  assuring  privacy  of  data  bank 
files  or  computer  integrity  are  varied,  and  very  little  analysis  of  their 
effectiveness  has  been  made.  One  can  appreicate  the  problem  having 
heard  the  story  of  six  computer  experts  in  California  last  year  who  set  out  to 
see  how  much  trouble  it  would  be  to  rig  vote  counting  computers .  In  spite 
of  efforts  by  fraud  detection  experts  they  succeeded  in  rigging  the  computers 
in  two  out  of  every  three  tries. 

It  is  evident  that  more  study  into  the  organization  of  computers, 
data  banks,  and  information  retrieval  systems  from  a  security  point  of 
view  is  required  if  confidence  in  a  public  data  bank  is  to  be  realized.  All 
considered,  the  public  data  bank  could  be  useful,  but  until  effective 
policy  controls  are  innaguarated,  and  security  technology  catches  up  with 
the  threat,  the  public  data  bank  is  likely  to  be  one  of  those  "good"  ideas 


that  never  get  off  the  ground. 
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